WeChat Authentication Based Internet Access

WeChat Client Authentication

The WeChat messaging service is a cross platform communication software which supports text messages, audio calls, video calls, games. WeChat also offers full fledged m-commerce capabilities in their app using which you can do purchases, make bill payments within the WeChat app. This app has a large customer base in China and is gaining popularity in rest of the world. This feature gives WeChat users access to wireless internet service using their smartphones or PC. The authentication of the account is done by the WeChat servers. This is a simple process and requires little user inputs.

This platform benefits both, the customer and the merchant. The customer gets access to the Internet and the merchant gets a customer engaging platform to advertise merchandise and services.

Restrictions on WeChat Client Authentication

  • This feature is supported on Cisco Wave 1 APs in FlexConnect mode only.

  • Downgrading a Cisco WLC running a release with QR-Scan or WeChat specific configuration to an older release which does not support this feature leads to XML validation errors for the Layer 3 security type during the downgrade process.

    The errors do not have any impact on the functioning of the Cisco WLC.

Configuring WeChat Client Authentication on WLC (GUI)

Before you begin

The AP SSID and the WLC MAC address needs be configured in the Baitone server database.

Procedure


Step 1

Log in to the WLC GUI interface.

Step 2

Choose WLANs > WLAN ID > Security to open the WLANs Edit page.

Step 3

In the Security tab, configure the following parameters:

  1. Set the Layer 2 Security to None from the drop-down list on the Layer 2 tab.

  2. Set the Layer 3 Security to Web Policy from the drop-down list on the Layer 3 tab.

  3. Choose Passthrough

  4. Select the Qr Code Scanning check box.

  5. Enter the portal web page address in the Redirect URL text box and Shared Key (Preconfigured on the external authentication server).

  6. From the Preauthentication ACL > WebAuth FlexAcl drop-down list, choose the Acl option that you want to apply to the WLAN.

    Before the client is authenticated, this Acl allows the authentication traffic to pass through to the WeChat authentication servers.

Step 4

In the Advanced tab, select the FlexConnect Local Switching check box.

Step 5

(Optional) Enable local authentication by configuring the following parameters:

  1. Under the Security tab, select the Web policy done locally on AP check box.

    This enables local authentication at the AP and the central authentication at the WLC is disabled.

  2. In the Advanced tab, select the FlexConnect Local Auth check box.

    Set this option to enable if Web policy done locally on AP is enabled

Step 6

On the Wireless tab, follow the steps:

  1. Select the FlexConnect ACLs.

    Choose an existing Acl or create a new Acl

  2. Add the portal page IP address and the WeChat authentication server IP address with permit action as new rules.

Step 7

In the Wireless > Global Configuration page, configure the following parameter:

  1. Enter the virtual IP address in the AP Virtual IP address text box.

    The default Virtual AP IP address is: 10.1.0.6. The WLC and the client interact with the AP using this AP virtual IP address.

Step 8

Choose Security > Web Auth > Web Login Page. Enter the values for:

  1. QrCode Scanning Bypass Timer. The valid range is between 5 and 60 seconds to allow traffic temporary.

  2. QrCode Scanning Bypass Count. The valid range is between 1 to 9 retries to bypass for authentication.


Configuring WeChat Client Authentication on WLC (CLI)

Before you begin

The AP SSID and the WLC MAC address needs be configured in the external authentication server database.

Procedure


Step 1

Configure the WLAN:

  1. Create a WLAN, by entering this command:

    config wlan create wlan-id profile-name ssid-name

  2. Disable L2 security by entering this command:

    config wlan security wpa disable wlan-id

  3. Enable WLAN L3 passthrough by entering this command:

    config wlan security web-passthroughenable wlan-id

Step 2

Enable FlexConnect mode in a Cisco AP by entering this command:

config ap mode flexconnect Cisco-AP

Step 3

Enable or disable QR code scanning support for clients on the WLC by entering this command:

config wlan security web-passthrough qr-scan { enable | disable} wlan-id

Step 4

Configure the QR-scan DES key for the WLAN by entering this command:

config wlan security web-auth des key string wlan-id

Step 5

Configure the QR scan authentication options - timer, and count by entering this command:

config custom-web qrscan-bypass-opt timer count

Step 6

Configure the external Web Authentication URL by entering this command:

config custom-web ext-webauth-url ext-webauth-url

Step 7

Configure flex-acl and attach to WLAN in L3 security

Step 8

Configure virtual IP of Controller with the same IP which is configured on Baitone

Step 9

Enable or disable QR code scanning support for clients on the WLC:

  • Enable or disable central authentication QR code scanning support for clients on the WLC by entering this command:

    config wlan security web-passthrough qr-scan{enable | disable} wlan-id

  • Enable or disable local authentication QR code scanning support for clients on the WLC by entering this command:

    config wlan security web-passthrough qr-scan local{enable | disable} wlan-id

Step 10

Configure virtual IP for an AP by entering this command:

config ap virtual_ip {enable | disable} ip address

Step 11

See the state of WeChat QR scan feature for specific WLAN by entering this command:

show wlan wlan-id

Step 12

See the QR scan bypass options by entering this command:

show custom-web all


Authenticating Client Using WeChat App for Mobile Internet Access (GUI)

Before you begin

The WeChat App must be installed in the smartphone.

Procedure


Step 1

Connect the smartphone to the WeChat enabled SSID.

  1. IPhone—Opens the portal page automatically.

  2. Android—Open a URL using a browser which will redirect to the portal page.

Once connected to the SSID, you have 60 seconds to validate the WeChat account.

Step 2

Click the green button displayed to validate the WeChat account.

Step 3

Click the green connect button to connect to WeChat over Wi-Fi.

The merchant page is displayed which confirms the user is connected to the Internet.


Authenticating Client Using WeChat App for PC Internet Access (GUI)

Before you begin

The customer's mobile must have the WeChat app installed and have access to the Internet to authenticate the WeChat account.

Procedure


Step 1

Connect the PC to the WeChat enabled SSID.

The server identifies the client and displays the portal web page with a QR code.

Step 2

Scan the QR code using the WeChat app on the mobile.

The WeChat account authentication success is displayed.
Step 3

The PC browser displays the merchant page and is able to access the Internet.