The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator user, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.
The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
Restrictions for Managing User Accounts
The local user database is limited to a maximum of 2048 entries, which is also the default value. This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.
Creating a Lobby Ambassador Account
Creating a Lobby Ambassador Account (GUI)
Choose Management > Local Management Users to open the Local Management Users page.
This page lists the names and access privileges of the local management users.
If you want to delete any of the user accounts from the controller, hover your cursor over the blue drop-down arrow and choose Remove. However, deleting the default administrative user prohibits both GUI and CLI access to the controller. Therefore, you must create a user with administrative privileges (ReadWrite) before you remove the default user.
Click New to create a lobby ambassador account. The Local Management Users > New page appears.
In the User Name text box, enter a username for the lobby ambassador account.
Management usernames must be unique because they are stored in a single database.
In the Password and Confirm Password text boxes, enter a password for the lobby ambassador account.
Passwords are case sensitive. The settings for the management User Details parameters depends on the settings that you make in the Password Policy page. The following requirements are enforced on the password
The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.
No character in the password can be repeated more than three times consecutively.
The password should not contain a management username or the reverse letters of a username.
The password should not contain words like Cisco, oscic, admin, nimda, or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.
Choose LobbyAdmin from the User Access Mode drop-down list. This option enables the lobby ambassador to create guest user accounts.
The ReadOnly option creates an account with read-only privileges, and the ReadWrite option creates an administrative account with both read and write privileges.
Click Apply to commit your changes. The new lobby ambassador account appears in the list of local management users.
Click Save Configuration to save your changes.
Creating a Lobby Ambassador Account (CLI)
To create a lobby ambassador account use the following command:
Replacing lobby-admin with read-only creates an account with read-only privileges. Replacing lobby-admin with read-write creates an administrative account with both read and write privileges.
Creating Guest User Accounts as a Lobby Ambassador (GUI)
Log into the controller as the lobby ambassador, using the username and password. The Lobby Ambassador Guest Management > Guest Users List page appears.
Click New to create a guest user account. The Lobby Ambassador Guest Management > Guest Users List > New page appears.
In the User Name text box, enter a name for the guest user. You can enter up to 24 characters.
Perform one of the following:
If you want to generate an automatic password for this guest user, select the Generate Password check box. The generated password is entered automatically in the Password and Confirm Password text boxes.
If you want to create a password for this guest user, leave the Generate Password check box unselected and enter a password in both the Password and Confirm Password text boxes.
Passwords can contain up to 24 characters and are case sensitive.
From the Lifetime drop-down lists, choose the amount of time (in days, hours, minutes, and seconds) that this guest user account is to remain active. A value of zero (0) for all four text boxes creates a permanent account.
Default: 1 day
Range: 5 minutes to 30 days
The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences a recurring session timeout that requires reauthentication.
You can change a guest user account with a nonzero lifetime to another lifetime value at any time while the account is active. However, to make a guest user account permanent using the controller GUI, you must delete the account and create it again. If desired, you can use the config netuser lifetimeuser_name 0 command to make a guest user account permanent without deleting and recreating it.
From the WLAN SSID drop-down list, choose the SSID that will be used by the guest user. The only WLANs that are listed are those WLANs for which Layer 3 web authentication has been configured.
We recommend that you create a specific guest WLAN to prevent any potential conflicts. If a guest account expires and it has a name conflict with an account on the RADIUS server and both are on the same WLAN, the users associated with both accounts are disassociated before the guest account is deleted.
In the Description text box, enter a description of the guest user account. You can enter up to 32 characters.
Click Apply to commit your changes. The new guest user account appears in the list of guest users on the Guest Users List page.
From this page, you can see all of the guest user accounts, their WLAN SSID, and their lifetime. You can also edit or remove a guest user account. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted.
Repeat this procedure to create any additional guest user accounts.
Viewing Guest User Accounts
Viewing the Guest Accounts (GUI)
To view guest user accounts using the controller GUI, choose Security > AAA > Local Net Users. The Local Net Users page appears.
From this page, you can see all of the local net user accounts (including guest user accounts) and can edit or remove them as desired. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted.
Viewing the Guest Accounts (CLI)
To see all of the local net user accounts (including guest user accounts) using the controller CLI, enter this command:
Configuring Administrator Usernames and Passwords
Information About Configuring Administrator Usernames and Passwords
You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information. This section provides instructions for initial configuration and for password recovery.
Configuring Usernames and Passwords (GUI)
Choose Management > Local Management Users.
Enter the username and password, and confirm the password.
Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.
Choose the User Access Mode as one of the following:
Configuring Usernames and Passwords (CLI)
Configure a username and password by entering one of these commands:
config mgmtuser addusername passwordread-write—Creates a username-password pair with read-write privileges.
config mgmtuser addusername passwordread-only—Creates a username-password pair with read-only privileges. Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.
If you ever need to change the password for an existing username, enter the configmgmtuserpasswordusernamenew_password command.
List the configured users by entering this command:
Before You Begin
Ensure that you are accessing the controller CLI through the console port.
After the controller boots up, enter Restore-Password at the User prompt.
For security reasons, the text that you enter does not appear on the controller console.
At the Enter User Name prompt, enter a new username.
At the Enter Password prompt, enter a new password.
At the Re-enter Password prompt, reenter the new password. The controller validates and stores your entries in the database.
When the User prompt reappears, enter your new username.
When the Password prompt appears, enter your new password. The controller logs you in with your new username and password.
Changing the Default Values for SNMP v3 Users
Information About Changing the Default Values for SNMP v3 Users
The controller uses a default value of “default” for the username, authentication password, and privacy password for SNMP v3 users. Using these standard values presents a security risk. Therefore, Cisco strongly advises that you change these values.
SNMP v3 is time sensitive. Ensure that you configure the correct time and time zone on your controller.
Changing the SNMP v3 User Default Values (GUI)
Choose Management > SNMP > SNMP V3 Users to open the SNMP V3 Users page.
If “default” appears in the User Name column, hover your cursor over the blue drop-down arrow for the desired user and choose Remove to delete this SNMP v3 user.
Click New to add a new SNMP v3 user. The SNMP V3 Users > New page appears.
In the User Profile Name text box, enter a unique name. Do not enter “default.”
Choose Read Only or Read Write from the Access Mode drop-down list to specify the access level for this user. The default value is Read Only.
From the Authentication Protocol drop-down list, choose the desired authentication method: None, HMAC-MD5 (Hashed Message Authentication Coding-Message Digest 5), or HMAC-SHA (Hashed Message Authentication Coding-Secure Hashing Algorithm). The default value is HMAC-SHA.
In the Auth Password and Confirm Auth Password text boxes, enter the shared secret key to be used for authentication. You must enter at least 12 characters that include both letters and numbers.
From the Privacy Protocol drop-down list, choose the desired encryption method: None, CBC-DES (Cipher Block Chaining-Digital Encryption Standard), or CFB-AES-128 (Cipher Feedback Mode-Advanced Encryption Standard-128). The default value is CFB-AES-128.
In order to configure CBC-DES or CFB-AES-128 encryption, you must have selected either HMAC-MD5 or HMAC-SHA as the authentication protocol in Step 6.
In the Priv Password and Confirm Priv Password text boxes, enter the shared secret key to be used for encryption. You must enter at least 12 characters that include both letters and numbers.
Click Save Configuration.
Reboot the controller so that the SNMP v3 user that you added takes effect.
Changing the SNMP v3 User Default Values (CLI)
See the current list of SNMP v3 users for this controller by entering this command:
If “default” appears in the SNMP v3 User Name column, enter this command to delete this user:
config snmp v3user deleteusername
The username parameter is the SNMP v3 username (in this case, “default”).
Create a new SNMP v3 user by entering this command:
Controllers support a maximum key size of 2048 bits.
You must provide the correct Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the controller. This name should exist in the DNS as well. Also, after you make the change to the VIP interface, you must reboot the system in order for this change to take effect.
After you issue the command, you are prompted to enter information such as country name, state, city, and so on.
Information similar to the following appears:
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
writing new private key to 'mykey.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) :San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC
Organizational Unit Name (eg, section) :CDE
Common Name (eg, YOUR name) :XYZ.ABC
Email Address :Test@abc.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :Test123
An optional company name :
After you provide all the required details two files are generated:
A new private key that includes the name mykey.pem
A CSR that includes the name myreq.pem
Copy and paste the Certificate Signing Request (CSR) information into any CA enrollment tool. After you submit the CSR to a third party CA, the third party CA digitally signs the certificate and sends back the signed certificate chain through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have one intermediate certificate similar to the example above, you will receive the following three certificates from the CA:
Ensure that the certificate is Apache-compatible with SHA1 encryption.
Once you have all the three certificates, copy and paste into another file the contents of each .pem file in this order:
Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.
Create the All-certs.pem and final.pem files by entering these commands:
final.pem is the file that we need to download to the controller.
You must enter a password for the parameters -passin and -passout. The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the controller. In the above example, the password that is configured for both the -passin and -passout parameters is check123.
What to Do Next
Download the final.pem file to the controller either using CLI or GUI.
Downloading Third-Party Certificate (GUI)
Copy the device certificate final.pem to the default directory on your TFTP server.
Choose Security > Web Auth > Certificate to open the Web Authentication Certificate page.
Check the Download SSL Certificate check box to view the Download SSL Certificate From Server parameters.
In the Server IP Address text box, enter the IP address of the TFTP server.
In the File Path text box, enter the directory path of the certificate.
In the File Name text box, enter the name of the certificate.
In the Certificate Password text box, enter the password to protect the certificate.
After the download is complete, choose Commands > Reboot and click Save and Reboot.
Click OK in order to confirm your decision to reboot the controller.
Downloading Third-Party Certificate (CLI)
Move the final.pem file to the default directory on your TFTP server. Change the download settings by entering the following commands:
(Cisco Controller) >transfer download mode tftp(Cisco Controller) >transfer download datatype webauthcert(Cisco Controller) >transfer download serverip <TFTP server IP address>(Cisco Controller) >transfer download path <absolute TFTP server path to the update file>(Cisco Controller) >transfer download filename final.pem
Enter the password for the .pem file so that the operating system can decrypt the SSL key and certificate.
Ensure that the value for certpassword is the same as the -passout parameter when you generate a CSR.
Start the certificate and key download by entering the this command: transfer download start
(Cisco Controller) >transfer download start
Data Type........................................ Site Cert
TFTP Server IP................................... 10.77.244.196
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Filename.................................... final.pem
This may take some time.
Are you sure you want to start? (y/N) y
TFTP EAP Dev cert transfer starting.
Reboot the switch to use new certificate.