The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Configuring Administrator Usernames and Passwords
You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information. This section provides instructions for initial configuration and for password recovery.
Ensure that you are accessing the controller CLI through the console port.
Step 1 | After the controller boots up, enter Restore-Password at the User prompt.
| ||
Step 2 | At the Enter User Name prompt, enter a new username. | ||
Step 3 | At the Enter Password prompt, enter a new password. | ||
Step 4 | At the Re-enter Password prompt, reenter the new password. The controller validates and stores your entries in the database. | ||
Step 5 | When the User prompt reappears, enter your new username. | ||
Step 6 | When the Password prompt appears, enter your new password. The controller logs you in with your new username and password. |
Configuring Guest User Accounts
The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator user, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.
The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
The local user database is limited to a maximum of 2048 entries, which is also the default value. This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.
For net user accounts or guest user accounts, the following special characters are allowed along with alphanumeric characters: ~, @, #, $, %, ^, &, (, ), !, _, -, `, ., [, ], =, +, *, :, ;, {, }, ,, /, and \.
Creating a Lobby Ambassador Account
Step 1 | Choose Management > Local Management Users to open the Local Management Users page. This page lists the names and access privileges of the local management users.
| ||
Step 2 | Click New to create a lobby ambassador account. The Local Management Users > New page appears. | ||
Step 3 | In the User Name text box, enter a username for the lobby ambassador account.
| ||
Step 4 | In the Password and Confirm Password text boxes, enter a password for the lobby ambassador account.
| ||
Step 5 | Choose LobbyAdmin from the User Access Mode drop-down list. This option enables the lobby ambassador to create guest user accounts.
| ||
Step 6 | Click Apply to commit your changes. The new lobby ambassador account appears in the list of local management users. | ||
Step 7 | Click Save Configuration to save your changes. |
To create a lobby ambassador account use the following command:
config mgmtuser add lobbyadmin_username lobbyadmin_pwd lobby-admin
Note | Replacing lobby-admin with read-only creates an account with read-only privileges. Replacing lobby-admin with read-write creates an administrative account with both read and write privileges. |
Step 1 | Log into the controller as the lobby ambassador, using the username and password. The Lobby Ambassador Guest Management > Guest Users List page appears. | ||||
Step 2 | Click New to create a guest user account. The Lobby Ambassador Guest Management > Guest Users List > New page appears. | ||||
Step 3 | In the User Name text box, enter a name for the guest user. You can enter up to 24 characters. | ||||
Step 4 | Perform one of the following:
| ||||
Step 5 | From the Lifetime drop-down lists, choose the amount of time (in days, hours, minutes, and seconds) that this guest user account is to remain active. A value of zero (0) for all four text boxes creates a permanent account.
| ||||
Step 6 | From the WLAN SSID drop-down list, choose the SSID that will be used by the guest user. The only WLANs that are listed are those WLANs for which Layer 3 web authentication has been configured.
| ||||
Step 7 | In the Description text box, enter a description of the guest user account. You can enter up to 32 characters. | ||||
Step 8 | Click Apply to commit your changes. The new guest user account appears in the list of guest users on the Guest Users List page. From this page, you can see all of the guest user accounts, their WLAN SSID, and their lifetime. You can also edit or remove a guest user account. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted. | ||||
Step 9 | Repeat this procedure to create any additional guest user accounts. |
Viewing Guest User Accounts
To view guest user accounts using the controller GUI, choose . The Local Net Users page appears.
From this page, you can see all of the local net user accounts (including guest user accounts) and can edit or remove them as desired. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted.
To see all of the local net user accounts (including guest user accounts) using the controller CLI, enter this command:
Password Policies
The password policies allows you to enforce strong password checks on newly created passwords for additional management users of controller and access point. The following are the requirements enforced on the new password:
When the controller is upgraded from old version, all the old passwords are maintained as it is, even though the passwords are weak. After the system upgrade, if strong password checks are enabled, the same is enforced from that time and the strength of previously added passwords will not be checked or altered.
Depending on the settings done in the Password Policy page, the local management and access point user configuration is affected.
Strong password requirement based on WLAN-CC requirement is applicable only to WLAN admin login passwords and is not applicable to AP Management passwords.
Strong password - lockout feature is not applied if you try to access the Cisco WLC through a serial connection or a terminal server connection and it has unlimited attempts.
Step 1 | Choose Security > AAA > Password Policies to open the Password Policies page. |
Step 2 | Select the Password must contain characters from at least 3 different classes check box if you want your password to contain characters from at least three of the following classes: lower case letters, upper case letters, digits, and special characters. |
Step 3 | Select the No character can be repeated more than 3 times consecutively check box if you do not want character in the new password to repeat more than three times consecutively. |
Step 4 | Select the Password cannot be the default words like cisco, admin check box if you do not want the password to contain words such as Cisco, ocsic, admin, nimda, or any variant obtained by changing the capitalization of letters or by substituting 1, |, or! or substituting 0 for o or substituting $ for s. |
Step 5 | Select the Password cannot contain username or reverse of username check box if you do not want the password to contain a username or the reverse letters of a username. |
Step 6 | Click Apply to commit your changes. |
Step 7 | Click Save Configuration to save your changes. |
Enable or disable strong password check for AP and WLC by entering this command:
config switchconfig strong-pwd {case-check | consecutive-check | default-check | username-check | all-checks| position-check | case-digit-check} {enable | disable}
whereConfigure minimum number of upper, lower, digit, and special characters in a password by entering this command:
config switchconfig strong-pwd minimum {upper-case | lower-case | digits | special-chars} num-of-chars
Configure minimum length for a password by entering this command:
config switchconfig strong-pwd min-length pwd-length
Configure lockout for management or SNMPv3 users by entering this command:
config switchconfig strong-pwd lockout {mgmtuser | snmpv3user} {enable | disable}
Configure lockout time for management or SNMPv3 users by entering this command:
config switchconfig strong-pwd lockout time {mgmtuser | snmpv3user} timeout-in-mins
Configure the number of consecutive failure attempts for management or SNMPv3 users by entering this command:
config switchconfig strong-pwd lockout attempts {mgmtuser | snmpv3user} num-of-failure-attempts
Configure lifetime for management or SNMPv3 users by entering this command:
config switchconfig strong-pwd lifetime {mgmtuser | snmpv3user} lifetime-in-days
See the configured options for strong password check by entering this command:
Information similar to the following appears:
802.3x Flow Control Mode......................... Disabled FIPS prerequisite features....................... Disabled secret obfuscation............................... Enabled Strong Password Check Features: case-check ...........Enabled consecutive-check ....Enabled default-check .......Enabled username-check ......Enabled