Step 1 |
To create a dynamic interface
for wired guest user access, choose
Controller >
Interfaces. The
Interfaces page appears.
|
Step 2 |
Click
New to open the
Interfaces > New page.
|
Step 3 |
Enter a name and VLAN ID for
the new interface.
|
Step 4 |
Click
Apply to commit
your changes.
|
Step 5 |
In the
Port
Number text box, enter a valid port number. You can enter a number
between 0 and 25 (inclusive).
|
Step 6 |
Select the
Guest LAN
check box.
|
Step 7 |
Click
Apply to commit
your changes.
|
Step 8 |
To create a wired LAN for
guest user access, choose
WLANs.
|
Step 9 |
On the WLANs page, choose
Create New from
the drop-down list and click
Go. The
appears.
|
Step 10 |
From the Type drop-down list, choose Guest
LAN.
|
Step 11 |
In the
Profile Name text box, enter a name that identifies
the guest LAN. Do not use any spaces.
|
Step 12 |
From the WLAN ID drop-down
list, choose the ID number for this guest LAN.
Note
|
You can create up to five
guest LANs, so the WLAN ID options are 1 through 5 (inclusive).
|
|
Step 13 |
Click
Apply to commit
your changes.
|
Step 14 |
Select the
Enabled check box
for the Status parameter.
|
Step 15 |
Web authentication (Web-Auth)
is the default security policy. If you want to change this to web passthrough,
choose the
Security tab
after completing
Step 16
and
Step 17.
|
Step 16 |
From the Ingress Interface drop-down list, choose the VLAN
that you created in
Step 3.
This VLAN provides a path between the wired guest client and the controller by
way of the Layer 2 access switch.
|
Step 17 |
From the Egress Interface drop-down list, choose the name
of the interface. This WLAN provides a path out of the controller for wired
guest client traffic.
|
Step 18 |
If you want to change the
authentication method (for example, from web authentication to web
passthrough), choose
Security >
Layer 3. The
WLANs
> Edit (Security > Layer 3) page appears.
|
Step 19 |
From the Layer 3 Security drop-down list,
choose one of the following:
-
None—Layer 3 security is disabled.
-
Web Authentication—Causes users to be prompted for a
username and password when connecting to the wireless network. This is the
default value.
-
Web Passthrough—Allows users to access the network
without entering a username and password.
Note
|
There should not be a Layer 3
gateway on the guest wired VLAN, as this would bypass the web authentication
done through the controller.
|
|
Step 20 |
If you choose the Web Passthrough option, an
Email Input
check box appears. Select this check box if you want
users to be prompted for their e-mail address when attempting to connect to the
network.
|
Step 21 |
To override the global authentication configuration set on
the Web Login page, select the
Override Global Config
check box.
|
Step 22 |
When the Web Auth Type drop-down list appears, choose one
of the following options to define the web authentication pages for wired guest
users:
-
Internal—Displays the default web login page for the
controller. This is the default value.
-
Customized—Displays custom web login, login failure,
and logout pages. If you choose this option, three separate drop-down lists
appear for login, login failure, and logout page selection. You do not need to
define a customized page for all three options. Choose
None from the
appropriate drop-down list if you do not want to display a customized page for
that option.
Note
|
These optional login,
login failure, and logout pages are downloaded to the controller as webauth.tar
files.
|
-
External—Redirects users to an external server for
authentication. If you choose this option, you must also enter the URL of the
external server in the URL text box.
You can choose specific
RADIUS or LDAP servers to provide external authentication on the WLANs >
Edit (Security > AAA Servers) page. Additionally, you can define the
priority in which the servers provide authentication.
|
Step 23 |
If you chose
External as the web authentication type in
Step 22,
choose
Security > AAA
Servers and choose up to three RADIUS and LDAP servers using the
drop-down lists.
Note
|
You can configure the Authentication and LDAP Server using both
IPv4 and IPv6 addresses.
|
Note
|
The RADIUS and LDAP external
servers must already be configured in order to be selectable options on the
WLANs > Edit (Security > AAA Servers) page. You can configure these
servers on the RADIUS Authentication Servers page and LDAP Servers page.
|
|
Step 24 |
To establish the
priority in which the servers are contacted to perform web authentication as
follows:
Note
|
The default order is local,
RADIUS, LDAP.
|
-
Highlight the server type
(local, RADIUS, or LDAP) that you want to be contacted first in the box next to
the Up and Down buttons.
-
Click
Up and
Down until the
desired server type is at the top of the box.
-
Click the < arrow to move the server type to the priority
box on the left.
-
Repeat these steps to
assign priority to the other servers.
|
Step 25 |
Click
Apply.
|
Step 26 |
Click
Save
Configuration.
|
Step 27 |
Repeat this
process if a second (anchor) controller is being used in the network.
|