Guest User Accounts

This chapter explains how administrators and lobby ambassadors create, configure, verify, and assign temporary guest user accounts for WLAN access using GUI and commands, including lifetime, simultaneous-login limits, and WLAN-specific username binding.

Create guest user accounts

A guest user account is a user account type that

  • grants temporary access to a WLAN or SSID

  • is created by a network administrator or lobby ambassador, and

  • automatically expires after a configured duration.

The controller can provide guest user access on WLANs. You must create guest user accounts to enable this access. The lobby ambassador has limited configuration privileges and can access only the web pages used to manage guest user accounts.

The lobby ambassador can specify how long guest user accounts remain active.

You can associate a user name with a WLAN profile name to restrict guest users to a specific WLAN.

Prerequisites for guest users

  • Guest users are created by administrator or lobby ambassador.

  • Guest user should be role-based.

  • Guest users should be able to connect to the network and access the internet.

  • Guest users configured locally or remotely (through RADIUS or TACACS) do not have access to the device through Telnet, SSH, or WebUI.

Create a guest user account (GUI)

Enable guest access by adding a new user account in the system through the GUI.

Procedure

Step 1

Choose Configuration > Security > Guest User.

Step 2

On the Guest User page, click Add.

Step 3

Enter a user name, password, and description for the new account. Check the Generate password check box to automatically generate a password.

Step 4

Enter the number of simultaneous user logins. The valid values range between 0 to 64.

Enter zero for unlimited users.

Step 5

In the Lifetime section, choose the number of years, months, days, hours, and minutes.

Step 6

Click Save & Apply to Device.

Create a guest user account (CLI)

Enable temporary or guest access to your network by creating a guest user account with specific attributes and access limitations using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create a guest user account.

Example:

Device(config)# user-name guest-user-name

Step 3

Specify the account type as guest user account.

Example:

Device(config-user-name)# type network-user description description guest-user max-login-limit number of simultaneous logins lifetime year yy month mm day day hour hour minute minute second second

Note

 
User configuration values must be equal to or lower than the global values, since global values take precedence.

The command max-user-login configured at the global level, overrides the session limit configured at the local user level. The value range is from 0 to 8.

Step 4

Create a password for the guest user account.

Example:

Device(config-user-name)# password 0 password

Step 5

Create a AAA attribute list to apply QoS profiles on the guest user account.

Example:

Device(config-user-name)# aaa attribute list aaa-attribute-list-name

Step 6

Return to the global configuration mode.

Example:

Device(config-user-name)# exit

Note

 

If the lobby admin is local, enter this command:

aaa authentication login default local

If the lobby admin is a remote user, enter these commands:

aaa authentication login default group radius/tacacs
aaa remote username <remote-lobby-admin-name>

In case of local or remote lobby, enter this command to map the authorization policies:

aaa authorization exec default local

Verify guest user account


Device# show aaa local guest_user all
                
User-Name           : new4 
Type                :  GUEST USER 
Password            : * 
Is_passwd_encrypted : No 
Attribute-List      : Not-Configured 
Viewname            : Not-Configured 
Lobby Admin Name    : NEW_LOBBY_ADMIN 
Max Login Limit     : 0 
Description         : guest 
Start-Time          : 07:56:39 IST Jan 25 2019 
Lifetime            : 1 years 0 months 0 days 0 hours 0 mins 0 secs  
Expiry-Time         : 07:56:39 IST Jan 20 2020 Remaining Lifetime  : 0 years 11 months 29 days 22 hours 52 mins 49 secs

To verify a specific guest user account, use this command:


Device# show aaa local guest_user new_guest3
                
User-Name           : new_guest3
Type                :  GUEST USER
Password            : *
Is_passwd_encrypted : No
Attribute-List      : Not-Configured
Viewname            : Not-Configured
Lobby Admin Name    : INVALID_ADMIN
Max Login Limit     : 9
Description         : new
Start-Time          : 04:39:01 IST Feb 4 2019
Lifetime            : 1 years 0 months 0 days 0 hours 0 mins 0 secs 
Expiry-Time         : 04:39:01 IST Jan 30 2020
Remaining Lifetime  : 0 years 11 months 11 days 21 hours 16 mins 34 secs

Assign username to guest users in a WLAN (CLI)

Identify and authenticate guest devices on a WLAN by assigning usernames bound to their MAC addresses using commands.

Before you begin

  • If a WLAN profile name is configured for a user, guest user authentication is allowed only from that WLAN.

  • If a WLAN profile name is not configured for a user, guest user authentication is allowed on any WLAN.

  • To operate in connected mode, configure the AAA policy override under both SSID policies before you assign a username to a guest user on a WLAN.

Procedure

Step 1

Enter the configuration mode.

Example:

Device# configure terminal

Step 2

Assign a username to the WLAN profile.

Example:

Device# username user_name mac wlan-profile-name profile_name

Note

 

The wlan-profile-name per user is applicable for MAC type users.

Step 3

Display the values of the WLAN profile.

Example:

Device# show aaa local guest_user new_guest3

Step 4

Return to the privileged EXEC mode.

Example:

Device# end