Consolidated Platform Configuration Guide, Cisco IOS XE Release 3.3SE (Cisco WLC 5700 Series)
Configuring Wireless Guest Access
Downloads: This chapterpdf (PDF - 1.47MB) The complete bookPDF (PDF - 23.06MB) | The complete bookePub (ePub - 5.56MB) | Feedback

Configuring Wireless Guest Access

Contents

Configuring Wireless Guest Access

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Guest Access

  • All mobility peers should be configured for hierarchical mobility architecture.
  • For Guest Controller Mobility Anchor configuration on WLAN is must on Mobility Agent and Guest Controller.
  • Guest Access can be a 3 box solution or 2 box solution. The mobility tunnel link status should be up between:
    • Mobility Agent, Mobility Controller and Guest Controller.
    or
    • Mobility Agent/Mobility Controller and Guest Controller

Restrictions for Guess Access

Guest Controller functionality is supported only on Catalyst 5760.

Information about Wireless Guest Access

Ideally, the implementation of a wireless guest network uses as much of an enterprise’s existing wireless and wired infrastructure as possible to avoid the cost and complexity of building a physical overlay network. Assuming this is the case, the following additional elements and functions are needed:

  • A dedicated guest WLAN/SSID—Implemented throughout the campus wireless network wherever guest access is required. A guest WLAN is identified by a WLAN with mobility anchor (Guest Controller) configured.
  • Guest traffic segregation—Requires implementing Layer 2 or Layer 3 techniques across the campus network to restrict where guests are allowed to go.
  • Access control—Involves using imbedded access control functionality within the campus network or implementing an external platform to control guest access to the Internet from the enterprise network.
  • Guest user credential management—A process by which a sponsor or lobby administrator can create temporary credentials in behalf of a guest. This function might be resident within an access control platform or it might be a component of AAA or some other management system.

Fast Secure Roaming

Fast secure roaming can be achieved by caching the Pairwise Master Key (PMK) information for Cisco Centralized Key Management (CCKM), 802.11r and 802.11i clients. Cisco Centralized Key Management (CCKM) helps to improve roaming. Only the client can initiate the roaming process, which depends on factors such as:
  • Overlap between APs
  • Distance between APs
  • Channel, signal strength, and load on the AP
  • Data rates and output power
Whenever a fast-roaming client 802.11i, [CCKM]) roams to a new device, after fast-roaming the clients go through mobility "handoff" procedure. And new AAA attributes learned through mobility "handoff" procedure get re-applied.

Full L2 authentication must be avoided during roaming if the client uses the 802.11i WPA2, CCKM, 802.11r to achieve the full requirements of fast secure roaming. The PMK cache (802.11i, CCKM, and 802.11r) is used to authenticate and derive the keys for roaming clients to avoid full L2 authentication. This requires all Mobility Anchors (MA) and Mobility Controllers (MC) in the mobility group to have the same PMK cache values.

The session timeout defines when a PMK cache will expire. A PMK cache can also be deleted when a client fails to re-authenticate or when it is manually deleted them from the CLI. The deletion on the original controller or switch shall be propagated to other controllers or switches in the same mobility group.

How to Configure Guest Access

Creating a Lobby Administrator Account

SUMMARY STEPS

    1.    configure terminal

    2.    user-name user-name

    3.    type lobby-admin

    4.    password 0 password

    5.    end

    6.    show running-config | section user-name (or) show running-config | section configured lobby admin username


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure terminal


    Example:
    Controller # configure terminal
     

    Enters global configuration mode.

     
    Step 2 user-name user-name


    Example:
    Controller (config)# user-name lobby
     

    Creates a user account.

     
    Step 3 type lobby-admin


    Example:
    Controller (config-user-name)# type lobby-admin
     

    Specifies the account type as lobby admin.

     
    Step 4 password 0 password


    Example:
    Controller(config-user-name)# password 0 lobby
     

    Creates a password for the lobby administrator account.

     
    Step 5 end


    Example:
    Controller (config-user-name)# end
     

    Returns to privileged EXEC mode.

     
    Step 6 show running-config | section user-name (or) show running-config | section configured lobby admin username


    Example:
    Controller # show running-config | section lobby
     

    Displays the configuration details.

     

    Configuring Guest User Accounts

    SUMMARY STEPS

      1.    configure terminal

      2.    user-name user-name

      3.    password unencrypted/hidden-password password

      4.    type network-user description description guest-user lifetime year 0-1 month 0-11 day 0-30 hour 0-23 minute 0-59 second 0-59

      5.    end

      6.    show aaa local netuser all

      7.    show running-config | sectionuser-name


    DETAILED STEPS
        Command or Action Purpose
      Step 1 configure terminal


      Example:
      Controller # configure terminal
       

      Enters global configuration mode.

       
      Step 2 user-name user-name


      Example:
      Controller (config)# user-name guest
       

      Creates a username for the lobby ambassador account.

       
      Step 3 password unencrypted/hidden-password password


      Example:
      Controller (config-user-name)# password 0 guest
       

      Specifies the password for the user.

       
      Step 4 type network-user description description guest-user lifetime year 0-1 month 0-11 day 0-30 hour 0-23 minute 0-59 second 0-59


      Example:
      Controller (config-user-name)# type network-user description guest guest-user lifetime year 1 month 10 day 3 hour 1 minute 5 second 30
       

      Specifies the type of user.

       
      Step 5 end


      Example:
      Controller (config-user-name)# end
       

      Returns to privileged EXEC mode.

       
      Step 6 show aaa local netuser all


      Example:
      Controller # show aaa local netuser all
       

      Displays the configuration details. After the lifetime, the user-name with guest type will be deleted and the client associated with the guest user-name will be de-authenticated.

       
      Step 7 show running-config | sectionuser-name


      Example:
      Controller # show running-config | section guest
       

      Displays the configuration details.

       

      Configuring Mobility Agent (MA)

      SUMMARY STEPS

        1.    configure terminal

        2.    wireless mobility controller ipmc-ipaddress public-ip mc-publicipaddress

        3.    wlan wlan-name wlan-id ssid

        4.    client vlan idvlan-group name/vlan-id

        5.    no security wpa

        6.    mobility anchor ipaddress

        7.    aaa-override

        8.    no shutdown

        9.    end

        10.    show wireless mobility summary

        11.    show wlan name wlan-name/id


      DETAILED STEPS
          Command or Action Purpose
        Step 1 configure terminal


        Example:
        Controller # configure terminal
         

        Enters global configuration mode.

         
        Step 2 wireless mobility controller ipmc-ipaddress public-ip mc-publicipaddress


        Example:
        Controller (config) # wireless mobility controller 
        ip27.0.0.1 public-ip 27.0.0.1
         

        Configures the Mobility Controller to which the MA will be associated.

         
        Step 3 wlan wlan-name wlan-id ssid


        Example:
        Controller (config) # wlan mywlan 34 mywlan-ssid
         
        • For wlan-name enter, enter the profile name. The range is 1- 32 characters.
        • For wlan-id, enter the WLAN ID. The range is 1-512.
        • For ssid, enter the Service Set IDentifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.

         
        Step 4 client vlan idvlan-group name/vlan-id


        Example:
        Controller (config-wlan) # client vlan VLAN0136
         

        Configures the VLAN id or group of the WLAN.

         
        Step 5 no security wpa


        Example:
        Controller (config-wlan) # no security wpa
         

        The security configuration must be the same for the WLAN created on the GC. This example is for open authentication. For other security types such as open and webauth, appropriate command should be provided.

         
        Step 6 mobility anchor ipaddress


        Example:
        Controller (config-wlan) # mobility anchor 9.3.32.2
         

        Configures the Guest Controller as mobility anchor.

         
        Step 7 aaa-override


        Example:
        Controller (config-wlan) # aaa-override
         

        (Optional) Enables AAA override. AAA override is required for non open authentication in case AAA attributes are to be prioritized. It is required only in case guest user need to be deauthenticated after lifetime or have to give aaa-override attribute to the user.

         
        Step 8 no shutdown


        Example:
        Controller(config-wlan) # no shutdown
         

        Enables the WLAN.

         
        Step 9 end


        Example:
        Controller (config) # end
         

        Returns to privileged EXEC mode.

         
        Step 10 show wireless mobility summary


        Example:
        Controller  # show wireless mobility summary
         

        Verifies the mobility controller IP address and mobility tunnel status.

         
        Step 11 show wlan name wlan-name/id


        Example:
        Controller # show wlan name mywlan
         

        Displays the configuration of mobility anchor.

         

        Configuring Mobility Controller

        Mobility Controller mode should be enabled using the wireless mobility controller command.

        SUMMARY STEPS

          1.    configure terminal

          2.    wireless mobility group member ip ip-address public-ip ip-address group group-name

          3.    wireless mobility controller peer-group peer-group-name

          4.    wireless mobility controller peer-group peer-group-name member ip ipaddress public-ip ipaddress

          5.    end

          6.    show wireless mobility summary


        DETAILED STEPS
            Command or Action Purpose
          Step 1 configure terminal


          Example:
          Controller # configure terminal
           

          Enters global configuration mode.

           
          Step 2 wireless mobility group member ip ip-address public-ip ip-address group group-name


          Example:
          Controller (config) # wireless mobility group member ip 27.0.0.1 public-ip 23.0.0.1 group test
           

          Adds all peers within the MC group. The ip-address should be the guest controller's IP address.

           
          Step 3 wireless mobility controller peer-group peer-group-name


          Example:
          Controller (config) # wireless mobility controller peer-group pg 
           

          Creates the switch peer group.

           
          Step 4 wireless mobility controller peer-group peer-group-name member ip ipaddress public-ip ipaddress


          Example:
          Controller (config) # wireless mobility controller peer-group pg member ip 9.7.136.10 public-ip 
          9.7.136.10
           

          Adds the MA to the switch peer group.

           
          Step 5 end


          Example:
          Controller (config) # end
           

          Returns to privileged EXEC mode.

           
          Step 6 show wireless mobility summary


          Example:
          Controller # show wireless mobility summary
           

          Displays the configuration details.

           

          Configuring Guest Controller

          SUMMARY STEPS

            1.    configure terminal

            2.    wireless mobility group member ip ip-address public-ip ip-address group group-name

            3.    wlan wlan-name wlan-id ssid

            4.    client vlan idvlan-group name/vlan-id

            5.    no security wpa

            6.    mobility anchor self-ipaddress

            7.    aaa-override

            8.    security web-auth authentication-listauthentication list name

            9.    security web-auth parameter-map parameter-map name

            10.    no shutdown

            11.    end

            12.    show wireless mobility summary


          DETAILED STEPS
              Command or Action Purpose
            Step 1 configure terminal


            Example:
            Controller # configure terminal
             

            Enters global configuration mode.

             
            Step 2 wireless mobility group member ip ip-address public-ip ip-address group group-name


            Example:
            Controller (config) # wireless mobility group member ip 27.0.0.1 public-ip 23.0.0.1 group test
             

            Configures the mobility group member with mobility controller's IP address.

             
            Step 3 wlan wlan-name wlan-id ssid


            Example:
            Controller (config) # wlan mywlan 34 mywlan-ssid
             
            • For wlan-name enter, enter the profile name. The range is 1- 32 characters.
            • For wlan-id, enter the WLAN ID. The range is 1-64.
            • For ssid, enter the Service Set IDentifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.

             
            Step 4 client vlan idvlan-group name/vlan-id


            Example:
            Controller (config-wlan) # client vlan VLAN0136
             

            Configures the VLAN id or group of the WLAN.

             
            Step 5 no security wpa


            Example:
            Controller (config-wlan) # no security wpa
             

            The security configuration must be the same for the WLAN created on the MA. For security types such as open and webauth, appropriate command should be provided.

             
            Step 6 mobility anchor self-ipaddress


            Example:
            Controller (config-wlan) # mobility anchor 9.3.32.2
             

            Configures WLAN with the mobility anchor IP as a self IP address.

             
            Step 7 aaa-override


            Example:
            Controller (config-wlan) # aaa-override
             

            (Optional) Enables AAA override.

             
            Step 8 security web-auth authentication-listauthentication list name


            Example:
            Controller (config-wlan) # security web-auth authentication-list test
             

            Allows you to map the authentication list name with the web-auth WLAN.

             
            Step 9 security web-auth parameter-map parameter-map name


            Example:
            Controller (config-wlan) # security web-auth parameter-mapwebparalocal
             

            Allows you to map the parameter-map name with the web-auth WLAN.

             
            Step 10 no shutdown


            Example:
            Controller (config-wlan) # no shutdown
             

            Enables the WLAN.

             
            Step 11 end


            Example:
            Controller (config-wlan) # end
             

            Returns to privileged EXEC mode.

             
            Step 12 show wireless mobility summary


            Example:
            Controller # show wireless mobility summary
             

            Displays the configuration details. The WLAN configuration in MA and MC should be same including the WLAN id.

             

            Obtaining a Web Authentication Certificate

            SUMMARY STEPS

              1.    configure terminal

              2.    crypto pki import trustpoint name pkcs12 tftp: passphrase

              3.    end

              4.    show crypto pki trustpoints cert


            DETAILED STEPS
                Command or Action Purpose
              Step 1 configure terminal


              Example:
              Controller # configure terminal
               

              Enters global configuration mode.

               
              Step 2 crypto pki import trustpoint name pkcs12 tftp: passphrase


              Example:
              Controller (config)#  crypto pki import cert pkcs12 tftp://9.1.0.100/ldapserver-cert.p12 cisco
               

              Imports certificate.

               
              Step 3 end


              Example:
              Controller (config)#  end
               

              Returns to privileged EXEC mode.

               
              Step 4 show crypto pki trustpoints cert


              Example:
              Controller # show crypto pki trustpoints cert
               

              Displays the configuration details.

               

              Displaying a Web Authentication Certificate

              SUMMARY STEPS

                1.    show crypto ca certificate verb


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 show crypto ca certificate verb


                Example:
                Controller # show crypto ca certificate verb
                 

                Displays the current web authentication certificate details.

                 

                Choosing the Default Web Authentication Login Page

                AAA override flag should be enabled on the WLAN for web authentication using local or remote AAA server.
                SUMMARY STEPS

                  1.    configure terminal

                  2.    parameter-map type webauth parameter-map name

                  3.    wlan wlan-name

                  4.    shutdown

                  5.    security web-auth

                  6.    security web-auth authentication-list authentication list name

                  7.    security web-auth parameter-map parameter-map name

                  8.    no shutdown

                  9.    end

                  10.    show running-config | section wlan-name

                  11.    show running-config | section parameter-map type webauth parameter-map


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 configure terminal


                  Example:
                  Controller # configure terminal
                   

                  Enters global configuration mode.

                   
                  Step 2 parameter-map type webauth parameter-map name


                  Example:
                  Controller (config) # parameter-map type webauth test
                   

                  Configures the web-auth parameter-map.

                   
                  Step 3 wlan wlan-name


                  Example:
                  Controller (config) # wlan wlan10
                   

                  For the wlan-name, enter the profile name. The range is 1- 32 characters.

                   
                  Step 4 shutdown


                  Example:
                  Controller (config) # shutdown
                   

                  Disables WLAN.

                   
                  Step 5 security web-auth


                  Example:
                  Controller (config-wlan) # security web-auth
                   

                  Enables web-auth on WLAN.

                   
                  Step 6 security web-auth authentication-list authentication list name


                  Example:
                  Controller (config-wlan) # security web-auth authentication-list test
                   

                  Allows you to map the authentication list name with the web-auth WLAN.

                   
                  Step 7 security web-auth parameter-map parameter-map name


                  Example:
                  Controller (config) # security web-auth parameter-map test
                   

                  Allows you to map the parameter-map name with the web-auth WLAN.

                   
                  Step 8 no shutdown


                  Example:
                  Controller (config) # no shutdown
                   

                  Enables the WLAN.

                   
                  Step 9 end


                  Example:
                  Controller (config) # end
                   

                  Returns to privileged EXEC mode.

                   
                  Step 10 show running-config | section wlan-name


                  Example:
                  Controller# show running-config | section mywlan
                   

                  Displays the configuration details.

                   
                  Step 11 show running-config | section parameter-map type webauth parameter-map


                  Example:
                  Controller# show running-config | section parameter-map type webauth test
                   

                  Displays the configuration details.

                   

                  Choosing a Customized Web Authentication Login Page from an External Web Server

                  AAA override flag should be enabled on the WLAN for web authentication using local or remote AAA server.
                  SUMMARY STEPS

                    1.    configure terminal

                    2.    parameter-map type webauth global

                    3.    virtual-ip {ipv4 | ipv6} ip-address

                    4.    parameter-map type webauth parameter-map name

                    5.    type {authbypass | consent | webauth | webconsent}

                    6.    redirect [for-login|on-success|on-failure] URL

                    7.    redirect portal {ipv4 | ipv6} ip-address

                    8.    end

                    9.    show running-config | section parameter-map


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 configure terminal


                    Example:
                    Controller # configure terminal
                     

                    Enters global configuration mode.

                     
                    Step 2 parameter-map type webauth global


                    Example:
                    Controller (config) # parameter-map type webauth global
                     

                    Configures a global webauth type parameter.

                     
                    Step 3 virtual-ip {ipv4 | ipv6} ip-address


                    Example:
                    Controller (config-params-parameter-map) # virtual-ip ipv4 1.1.1.1
                     

                    Configures the virtual IP address.

                     
                    Step 4 parameter-map type webauth parameter-map name


                    Example:
                    Controller (config-params-parameter-map) # parameter-map type webauth test
                     

                    Configures the webauth type parameter.

                     
                    Step 5 type {authbypass | consent | webauth | webconsent}


                    Example:
                    Controller (config-params-parameter-map) # type webauth
                     

                    Configures webauth subtypes such as consent, passthru, webauth, or webconsent.

                     
                    Step 6 redirect [for-login|on-success|on-failure] URL


                    Example:
                    Controller (config-params-parameter-map) 
                    # redirect for-login http://9.1.0.100/login.html
                     

                    Configures the redirect URL for the log in page, success page, and failure page.

                     
                    Step 7 redirect portal {ipv4 | ipv6} ip-address


                    Example:
                    Controller (config-params-parameter-map) # redirect portal ipv4 23.0.0.1
                     

                    Configures the external portal IPv4 address.

                     
                    Step 8 end


                    Example:
                    Controller (config-params-parameter-map) # end
                     

                    Returns to privileged EXEC mode.

                     
                    Step 9 show running-config | section parameter-map

                    Example:
                    Controller # show running-config | section parameter-map
                     

                    Displays the configuration details.

                     

                    Assigning Login, Login Failure, and Logout Pages per WLAN

                    SUMMARY STEPS

                      1.    configure terminal

                      2.    parameter-map type webauth parameter-map-name

                      3.    custom-page login device html-filename

                      4.    custom-page login expired html-filename

                      5.    custom-page failure device html-filename

                      6.    custom-page success device html-filename

                      7.    end

                      8.    show running-config | section parameter-map type webauth parameter-map


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 configure terminal


                      Example:
                      Controller # configure terminal
                       

                      Enters global configuration mode.

                       
                      Step 2 parameter-map type webauth parameter-map-name


                      Example:
                      Controller (config) # parameter-map type webauth test
                       

                      Configures the webauth type parameter.

                       
                      Step 3 custom-page login device html-filename


                      Example:
                      Controller (config-params-parameter-map)# custom-page login device device flash:login.html
                       

                      Allows you to specify the filename for web authentication customized login page.

                       
                      Step 4 custom-page login expired html-filename


                      Example:
                      Controller (config-params-parameter-map)# custom-page login expired device flash:loginexpired.html
                       

                      Allows you to specify the filename for web authentication customized login expiry page.

                       
                      Step 5 custom-page failure device html-filename


                      Example:
                      Controller (config-params-parameter-map)# custom-page failure device device flash:loginfail.html
                       

                      Allows you to specify the filename for web authentication customized login failure page.

                       
                      Step 6 custom-page success device html-filename


                      Example:
                      Controller (config-params-parameter-map)# custom-page success device device flash:loginsuccess.html
                       

                      Allows you to specify the filename for web authentication customized login success page.

                       
                      Step 7 end


                      Example:
                      Controller (config-params-parameter-map)# end
                       

                      Returns to privileged EXEC mode.

                       
                      Step 8 show running-config | section parameter-map type webauth parameter-map


                      Example:
                      Controller (config) # show running-config | section parameter-map type webauth test
                       

                      Displays the configuration details.

                       

                      Configuring AAA-Override

                      SUMMARY STEPS

                        1.    configure terminal

                        2.    wlan wlan-name

                        3.    aaa-override

                        4.    end

                        5.    show running-config | section wlan-name


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 configure terminal


                        Example:
                        Controller # configure terminal
                         

                        Enters global configuration mode.

                         
                        Step 2 wlan wlan-name


                        Example:
                        Controller (config) # wlan ramban
                         

                        For wlan-name, enter the profile name. The range is 1- 32 characters.

                         
                        Step 3 aaa-override


                        Example:
                        Controller (config-wlan) # aaa-override
                         

                        Enables AAA override on the WLAN.

                         
                        Step 4 end


                        Example:
                        Controller (config-wlan) # end
                         

                        Returns to privileged EXEC mode.

                         
                        Step 5 show running-config | section wlan-name


                        Example:
                        Controller # show running-config | section ramban
                         

                        Displays the configuration details.

                         

                        Configuring Client Load Balancing

                        SUMMARY STEPS

                          1.    configure terminal

                          2.    wlan wlan-name

                          3.    shutdown

                          4.    mobility anchor ip-address1

                          5.    mobility anchor ip-address2

                          6.    no shutdown wlan

                          7.    end

                          8.    show running-config | section wlan-name


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 configure terminal


                          Example:
                          Controller # configure terminal
                           

                          Enters global configuration mode.

                           
                          Step 2 wlan wlan-name


                          Example:
                          Controller  (config)# wlan ramban
                           

                          For wlan-name, enter the profile name.

                           
                          Step 3 shutdown


                          Example:
                          Controller  (config-wlan)# shutdown  
                           

                          Disables WLAN.

                           
                          Step 4 mobility anchor ip-address1


                          Example:
                          Controller (config-wlan) # mobility anchor 9.7.136.15
                           

                          Configures a guest controller as mobility anchor.

                           
                          Step 5 mobility anchor ip-address2


                          Example:
                          Controller  (config-wlan) # mobility anchor 9.7.136.16
                           

                          Configures a guest controller as mobility anchor.

                           
                          Step 6 no shutdown wlan


                          Example:
                          Controller  (config-wlan) # no shutdown wlan
                           

                          Enables the WLAN.

                           
                          Step 7 end


                          Example:
                          Controller  (config-wlan) # end
                           

                          Returns to privileged EXEC mode.

                           
                          Step 8 show running-config | section wlan-name


                          Example:
                          Controller # show running-config | section ramban
                           

                          Displays the configuration details.

                           

                          Configuring Preauthentication ACL

                          SUMMARY STEPS

                            1.    configure terminal

                            2.    wlan wlan-name

                            3.    shutdown

                            4.    ip access-group web preauthrule

                            5.    no shutdown

                            6.    end

                            7.    show wlan name wlan-name


                          DETAILED STEPS
                              Command or Action Purpose
                            Step 1 configure terminal


                            Example:
                            Controller# configure terminal
                             

                            Enters global configuration mode.

                             
                            Step 2 wlan wlan-name


                            Example:
                            Controller (config)# wlan ramban
                             

                            For wlan-name, enter the profile name.

                             
                            Step 3 shutdown


                            Example:
                            Controller (config-wlan)# shutdown 
                             

                            Disables the WLAN.

                             
                            Step 4 ip access-group web preauthrule


                            Example:
                            Controller (config-wlan)# ip access-group web preauthrule
                             

                            Configures ACL that has to be applied before authentication.

                             
                            Step 5 no shutdown


                            Example:
                            Controller (config)# no shutdown 
                             

                            Enables the WLAN.

                             
                            Step 6 end


                            Example:
                            Controller (config-wlan)# end
                             

                            Returns to privileged EXEC mode.

                             
                            Step 7 show wlan name wlan-name


                            Example:
                            Controller# show wlan name ramban
                             

                            Displays the configuration details.

                             

                            Configuring IOS ACL Definition

                            SUMMARY STEPS

                              1.    configure terminal

                              2.    ip access-list extended access-list number

                              3.    permit udp any eq port number any

                              4.    end

                              5.    show access-lists ACL number


                            DETAILED STEPS
                                Command or Action Purpose
                              Step 1 configure terminal


                              Example:
                              Controller # configure terminal
                               

                              Enters global configuration mode.

                               
                              Step 2 ip access-list extended access-list number


                              Example:
                              Controller (config) # ip access-list extended 102
                               

                              Configures extended IP access-list.

                               
                              Step 3 permit udp any eq port number any


                              Example:
                              Controller (config-ext-nacl) # permit udp any eq 8080 any
                               

                              Configures destination host.

                               
                              Step 4 end


                              Example:
                              Controller (config-wlan) # end
                               

                              Returns to privileged EXEC mode.

                               
                              Step 5 show access-lists ACL number


                              Example:
                              Controller # show access-lists 102
                               

                              Displays the configuration details.

                               

                              Configuring Webpassthrough

                              SUMMARY STEPS

                                1.    configure terminal

                                2.    parameter-map type webauth parameter-map name

                                3.    type consent

                                4.    end

                                5.    show running-config | section parameter-map type webauth parameter-map


                              DETAILED STEPS
                                  Command or Action Purpose
                                Step 1 configure terminal


                                Example:
                                Controller # configure terminal
                                 

                                Enters global configuration mode.

                                 
                                Step 2 parameter-map type webauth parameter-map name


                                Example:
                                Controller (config)  # parameter-map type webauth webparalocal
                                 

                                Configures the webauth type parameter.

                                 
                                Step 3 type consent


                                Example:
                                Controller (config-params-parameter-map) # type consent
                                 

                                Configures webauth type as consent.

                                 
                                Step 4 end


                                Example:
                                Controller (config-params-parameter-map) # end
                                 

                                Returns to privileged EXEC mode.

                                 
                                Step 5 show running-config | section parameter-map type webauth parameter-map


                                Example:
                                Controller (config) # show running-config | section parameter-map type webauth test
                                 

                                Displays the configuration details.

                                 

                                Configuration Examples for Guest Access

                                Example: Creating a Lobby Ambassador Account

                                This example shows how to configure a lobby ambassador account.
                                Controller# configure terminal
                                Controller(config)# user-name lobby
                                Controller(config)# type lobby-admin
                                Controller(config)# password 0 lobby
                                Controller(config)# end
                                Controller#  show running-config | section lobby
                                				user-name lobby
                                				creation-time 1351118727
                                				password 0 lobby
                                				type lobby-admin
                                

                                Example: Obtaining Web Authentication Certificate

                                This example shows how to obtain web authentication certificate.
                                Controller# configure terminal
                                Controller(config)# crypto pki import cert pkcs12 tftp://9.1.0.100/ldapserver-cert.p12 cisco
                                Controller(config)# end
                                Controller# show crypto pki trustpoints cert
                                	Trustpoint cert:
                                    Subject Name: 
                                    e=rkannajr@cisco.com
                                    cn=sthaliya-lnx
                                    ou=WNBU
                                    o=Cisco
                                    l=SanJose
                                    st=California
                                    c=US
                                          Serial Number (hex): 00
                                    Certificate configured.
                                Controller# show crypto pki certificates cert
                                Certificate
                                  Status: Available
                                  Certificate Serial Number (hex): 04
                                  Certificate Usage: General Purpose
                                  Issuer: 
                                    e=rkannajr@cisco.com
                                    cn=sthaliya-lnx
                                    ou=WNBU
                                    o=Cisco
                                    l=SanJose
                                    st=California
                                    c=US
                                  Subject:
                                    Name: ldapserver
                                    e=rkannajr@cisco.com
                                    cn=ldapserver
                                    ou=WNBU
                                    o=Cisco
                                    st=California
                                    c=US
                                  Validity Date: 
                                    start date: 07:35:23 UTC Jan 31 2012
                                    end   date: 07:35:23 UTC Jan 28 2022
                                  Associated Trustpoints: cert ldap12 
                                  Storage: nvram:rkannajrcisc#4.cer
                                
                                CA Certificate
                                  Status: Available
                                  Certificate Serial Number (hex): 00
                                  Certificate Usage: General Purpose
                                  Issuer: 
                                    e=rkannajr@cisco.com
                                    cn=sthaliya-lnx
                                    ou=WNBU
                                    o=Cisco
                                    l=SanJose
                                    st=California
                                    c=US
                                  Subject: 
                                    e=rkannajr@cisco.com
                                    cn=sthaliya-lnx
                                    ou=WNBU
                                    o=Cisco
                                    l=SanJose
                                    st=California
                                    c=US
                                  Validity Date: 
                                    start date: 07:27:56 UTC Jan 31 2012
                                    end   date: 07:27:56 UTC Jan 28 2022
                                  Associated Trustpoints: cert ldap12 ldap 
                                  Storage: nvram:rkannajrcisc#0CA.cer
                                
                                

                                Example: Displaying a Web Authentication Certificate

                                This example shows how to display a web authentication certificate.
                                Controller# show crypto ca certificate verb
                                					Certificate
                                  			Status: Available
                                  			Version: 3
                                  			Certificate Serial Number (hex): 2A9636AC00000000858B
                                  			Certificate Usage: General Purpose
                                  			Issuer:
                                    cn=Cisco Manufacturing CA
                                    o=Cisco Systems
                                  		Subject:
                                    Name: WS-C3780-6DS-S-2037064C0E80
                                    Serial Number: PID:WS-C3780-6DS-S SN:FOC1534X12Q
                                    cn=WS-C3780-6DS-S-2037064C0E80
                                    serialNumber=PID:WS-C3780-6DS-S SN:FOC1534X12Q
                                  		CRL Distribution Points:
                                    http://www.cisco.com/security/pki/crl/cmca.crl
                                  		Validity Date:
                                    start date: 15:43:22 UTC Aug 21 2011
                                    end   date: 15:53:22 UTC Aug 21 2021
                                  		Subject Key Info:
                                    Public Key Algorithm: rsaEncryption
                                    RSA Public Key: (1024 bit)
                                  		Signature Algorithm: SHA1 with RSA Encryption
                                  		Fingerprint MD5: A310B856 A41565F1 1D9410B5 7284CB21
                                  		Fingerprint SHA1: 04F180F6 CA1A67AF 9D7F561A 2BB397A1 0F5EB3C9
                                 			X509v3 extensions:
                                    X509v3 Key Usage: F0000000
                                      Digital Signature
                                      Non Repudiation
                                      Key Encipherment
                                      Data Encipherment
                                    X509v3 Subject Key ID: B9EEB123 5A3764B4 5E9C54A7 46E6EECA 02D283F7
                                    X509v3 Authority Key ID: D0C52226 AB4F4660 ECAE0591 C7DC5AD1 B047F76C
                                    Authority Info Access:
                                  		Associated Trustpoints: CISCO_IDEVID_SUDI
                                  		Key Label: CISCO_IDEVID_SUDI
                                
                                

                                Example: Configuring Guest User Accounts

                                This example shows how to configure a guest user account.
                                Controller# configure terminal
                                Controller(config)# user-name guest
                                Controller(config-user-name)# password 0 guest
                                Controller(config-user-name)# type network-user description guest guest-user lifetime year 1 month 10 day 3 hour 1 minute 5 second 30
                                Controller(config-user-name)# end
                                Controller# show aaa local netuser all
                                User-Name           : guest
                                Type                : guest
                                Password            : guest
                                Is_passwd_encrypted : No
                                Descriptio          : guest
                                Attribute-List      : Not-Configured
                                First-Login-Time    : Not-Logged-In
                                Num-Login           : 0
                                Lifetime            : 1 years 10 months 3 days 1 hours 5 mins 30 secs
                                Start-Time          : 20:47:37 chennai Dec 21 2012
                                

                                Example: Configuring Mobility Controller

                                This example shows how to configure a mobility controller.
                                Controller# configure terminal
                                Controller(config)# wireless mobility group member ip 27.0.0.1 public-ip 23.0.0.1 group test
                                Controller(config)# wireless mobility controller peer-group pg
                                Controller(config)# wireless mobility controller peer-group pg member ip 9.7.136.10 public-ip 9.7.136.10
                                Controller(config)# end
                                Controller# show wireless mobility summary
                                
                                Mobility Controller Summary:
                                
                                Mobility Role                                   : Mobility Controller
                                Mobility Protocol Port                          : 16666
                                Mobility Group Name                             : default
                                Mobility Oracle                                 : Enabled
                                DTLS Mode                                       : Enabled
                                Mobility Domain ID for 802.11r                  : 0xac34
                                Mobility Keepalive Interval                     : 10
                                Mobility Keepalive Count                        : 3
                                Mobility Control Message DSCP Value             : 7
                                Mobility Domain Member Count                    : 3
                                
                                Link Status is Control Link Status : Data Link Status
                                
                                Controllers configured in the Mobility Domain:
                                
                                IP               Public IP        Group Name       Multicast IP     Link Status
                                -------------------------------------------------------------------------------
                                9.9.9.2          -                default          0.0.0.0          UP   : UP
                                12.12.11.11      12.13.12.12      rasagna-grp                       DOWN : DOWN
                                27.0.0.1         23.0.0.1         test                              DOWN : DOWN
                                
                                Switch Peer Group Name            : spg1
                                Switch Peer Group Member Count    : 0
                                Bridge Domain ID                  : 0
                                Multicast IP Address              : 0.0.0.0
                                
                                Switch Peer Group Name            : pg
                                Switch Peer Group Member Count    : 1
                                Bridge Domain ID                  : 0
                                Multicast IP Address              : 0.0.0.0
                                
                                IP               Public IP             Link Status
                                --------------------------------------------------
                                9.7.136.10       9.7.136.10            DOWN : DOWN
                                

                                Example: Choosing the Default Web Authentication Login Page

                                This example shows how to choose a default web authentication login page.
                                Controller# configure terminal
                                Controller(config)# parameter-map type webauth test
                                This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will 
                                disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding.
                                Do you wish to continue? [yes]: yes
                                Controller(config)# wlan wlan50
                                Controller(config-wlan)# shutdown
                                Controller(config-wlan)# security web-auth authentication-list test
                                Controller(config-wlan)# security web-auth parameter-map test
                                Controller(config-wlan)# no shutdown
                                Controller(config-wlan)# end
                                Controller# show running-config | section wlan50
                                wlan wlan50 50 wlan50
                                 security wpa akm cckm
                                 security wpa wpa1
                                 security wpa wpa1 ciphers aes
                                 security wpa wpa1 ciphers tkip
                                 security web-auth authentication-list test
                                 security web-auth parameter-map test
                                 session-timeout 1800
                                 no shutdown
                                
                                Controller# show running-config | section parameter-map type webauth test
                                parameter-map type webauth test
                                 type webauth
                                

                                Example: Choosing a Customized Web Authentication Login Page from an External Web Server

                                This example shows how to choose a customized web authentication login page from an external web server.
                                Controller# configure terminal
                                Controller(config)# parameter-map type webauth global
                                Controller(config-params-parameter-map)# virtual-ip ipv4 1.1.1.1
                                Controller(config-params-parameter-map)# parameter-map type webauth test
                                Controller(config-params-parameter-map)# type webauth
                                Controller(config-params-parameter-map)# redirect for-login http://9.1.0.100/login.html
                                Controller(config-params-parameter-map)# redirect portal ipv4 23.0.0.1
                                Controller(config-params-parameter-map)# end
                                Controller# show running-config | section parameter-map
                                parameter-map type webauth global
                                virtual-ip ipv4 1.1.1.1
                                parameter-map type webauth test
                                type webauth
                                redirect for-login http://9.1.0.100/login.html
                                redirect portal ipv4 23.0.0.1
                                security web-auth parameter-map rasagna-auth-map
                                security web-auth parameter-map test
                                
                                

                                Example: Assigning Login, Login Failure, and Logout Pages per WLAN

                                This example shows how to assign login, login failure and logout pages per WLAN.
                                Controller# configure terminal
                                Controller(config)# parameter-map type webauth test
                                Controller(config-params-parameter-map)# custom-page login device flash:loginsantosh.html
                                Controller(config-params-parameter-map)# custom-page login expired device flash:loginexpire.html
                                Controller(config-params-parameter-map)# custom-page failure device flash:loginfail.html
                                Controller(config-params-parameter-map)# custom-page success device flash:loginsucess.html
                                Controller(config-params-parameter-map)# end
                                Controller# show running-config | section parameter-map type webauth test
                                	parameter-map type webauth test
                                 type webauth
                                 redirect for-login http://9.1.0.100/login.html
                                 redirect portal ipv4 23.0.0.1
                                 custom-page login device flash:loginsantosh.html
                                 custom-page success device flash:loginsucess.html
                                 custom-page failure device flash:loginfail.html
                                 custom-page login expired device flash:loginexpire.html		
                                

                                Example: Configuring AAA-Override

                                This example shows how to configure aaa-override.
                                Controller# configure terminal
                                Controller(config)# wlan fff
                                Controller(config-wlan)# aaa-override
                                Controller(config-wlan)# end
                                Controller# show running-config | section fff
                                	wlan fff 44 fff
                                 aaa-override
                                 shutdown		
                                

                                Example: Configuring Client Load Balancing

                                This example shows how to configure client load balancing.
                                Controller# configure terminal
                                Controller(config)# wlan fff
                                Controller(config-wlan)# shutdown
                                Controller(config-wlan)# mobility anchor 9.7.136.15
                                Controller(config-wlan)# mobility anchor 9.7.136.16
                                Controller(config-wlan)# no shutdown wlan
                                Controller(config-wlan)# end
                                Controller# show running-config | section fff
                                wlan fff 44 fff
                                 aaa-override
                                 shutdown	
                                
                                

                                Example: Configuring Preauthentication ACL

                                This example shows how to configure preauthentication ACL.
                                Controller# configure terminal
                                Controller(config)# wlan fff
                                Controller(config-wlan)# shutdown
                                Controller(config-wlan)# ip access-group web preauthrule
                                Controller(config-wlan)# no shutdown
                                Controller(config-wlan)# end
                                Controller# show wlan name fff	
                                

                                Example: Configuring IOS ACL Definition

                                This example shows how to configure IOS ACL definition.
                                Controller# configure terminal
                                Controller(config)# ip access-list extended 102
                                Controller(config-ext-nacl)# permit udp any eq 8080 any
                                Controller(config-ext-nacl)# end
                                Controller# show access-lists 102
                                	Extended IP access list 102
                                    10 permit udp any eq 8080 any			
                                

                                Example: Configuring Webpassthrough

                                This example shows how to configure webpassthrough.
                                Controller# configure terminal
                                Controller(config)# parameter-map type webauth webparalocal
                                Controller(config-params-parameter-map)# type consent
                                Controller(config-params-parameter-map)# end
                                Controller# show running-config | section parameter-map type webauth test
                                	parameter-map type webauth test
                                 type webauth
                                 redirect for-login http://9.1.0.100/login.html
                                 redirect portal ipv4 23.0.0.1		
                                

                                Additional References for Guest Access

                                Related Documents

                                Related Topic Document Title
                                Mobility CLI commands

                                Mobility Command Reference, Cisco IOS XE 3SE (Cisco WLC 5700 Series)

                                Mobility configuration

                                Mobility Configuration Guide, Cisco IOS XE 3SE (Cisco WLC 5700 Series)

                                Security CLI commands

                                Security Command Reference, Cisco IOS Release 3SE (Cisco WLC 5700 Series)

                                Configuring web-based authentication on the Catalyst 5700 Series Wireless Controller

                                Security Configuration Guide, Cisco IOS Release 3SE (Cisco WLC 5700 Series)

                                Wired guest access configuration and commands

                                Identity Based Networking Services

                                Standards and RFCs

                                Standard/RFC Title
                                None -

                                MIBs

                                MIB MIBs Link
                                None

                                To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

                                http:/​/​www.cisco.com/​go/​mibs

                                Technical Assistance

                                Description Link

                                The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                                To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                                Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                                http:/​/​www.cisco.com/​support

                                Feature History and Information for Guest Access

                                Releases

                                Feature Information

                                Cisco IOS XE Release 3.2SE This feature was introduced.