Configuring Access Control Lists
To configure Access Control Lists (ACLs) for Facebook Wi-Fi, follow these steps:
Step 1 Choose Security > Access Control Lists > Access Control Name link from the Controller UI.
Step 2 Add a new ACL by clicking New. The Access Control Lists > New page appears.
Step 3 In the Access Control List Name text box, enter a name for the new ACL. You can enter up to 32 alphanumeric characters.
Step 4 Choose the ACL type. There are two types of ACL supported, IPv4 and IPv6.
Step 5 Click Apply. When the Access Control Lists page reappears, click the name of the new ACL.
Step 6 When the Access Control Lists > Edit page appears, click Add New Rule. The Access Control Lists > Rules > New page appears.
Step 7 Configure a rule for this ACL as follows:
a. The controller supports up to 64 rules for each ACL. These rules are listed in order from 1 to 64. In the Sequence text box, enter a value (between 1 and 64) to determine the order of this rule in relation to any other rules defined for this ACL.
Note If rules 1 through 4 are already defined and you add rule 29, it is added as rule 5. If you add or change a sequence number for a rule, the sequence numbers for other rules adjust to maintain a continuous sequence. For instance, if you change a rule’s sequence number from 7 to 5, the rules with sequence numbers 5 and 6 are automatically reassigned as 6 and 7, respectively.
b. From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies:
– Any—Any source (this is the default value).
– IP Address—A specific source. If you choose this option, enter the IP address and netmask of the source in the text boxes. If you are configuring IPv6 ACL, enter the IPv6 address and prefix length of the destination in the text boxes.
c. From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies:
– Any—Any destination (this is the default value).
– IP Address—A specific destination. If you choose this option, enter the IP address and netmask of the destination in the text boxes. If you are configuring IPv6 ACL, enter the IPv6 address and prefix length of the destination in the text boxes.
d. From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL. These are the protocol options:
– Any—Any protocol (this is the default value)
– TCP—Transmission Control Protocol
– UDP—User Datagram Protocol
– ICMP/ICMPv6—Internet Control Message Protocol
Note ICMPv6 is only available for IPv6 ACL.
– ESP—IP Encapsulating Security Payload
– AH—Authentication Header
– GRE—Generic Routing Encapsulation
– IP in IP—Internet Protocol (IP) in IP (permits or denies IP-in-IP packets)
– Eth Over IP—Ethernet-over-Internet Protocol
– OSPF—Open Shortest Path First
– Other—Any other Internet Assigned Numbers Authority (IANA) protocol
Note If you choose Other, enter the number of the desired protocol in the Protocol text box. You can find the list of available protocols in the INAI website.
Step 8 The controller can permit or deny only IP packets in an ACL. Other types of packets (such as ARP packets) cannot be specified.
e. If you chose TCP or UDP in the previous step, two additional parameters appear: Source Port and Destination Port. These parameters enable you to choose a specific source port and destination port or port ranges. The port options are used by applications that send and receive data to and from the networking stack. Some ports are designated for certain applications such as Telnet, SSH, HTTP, and so on.
Note Source and Destination ports based on the ACL type.
f. From the DSCP drop-down list, choose one of these options to specify the differentiated services code point (DSCP) value of this ACL. DSCP is an IP header text box that can be used to define the quality of service across the Internet.
– Any—Any DSCP (this is the default value)
– Specific—A specific DSCP from 0 to 63, which you enter in the DSCP edit box
g. From the Direction drop-down list, choose one of these options to specify the direction of the traffic to which this ACL applies:
– Any—Any direction (this is the default value)
– Inbound—From the client
– Outbound—To the client
Note If you are planning to apply this ACL to the controller CPU, the packet direction does not have any significance, it is always ‘Any’.
h. From the Action drop-down list, choose Deny to cause this ACL to block packets or Permit to cause this ACL to allow packets. The default value is Deny.
i. Click Apply to commit your changes. The Access Control Lists > Edit page reappears, showing the rules for this ACL.
The Deny Counters fields shows the number of times that packets have matched the explicit deny ACL rule. The Number of Hits field shows the number of times that packets have matched an ACL rule. You must enable ACL counters on the Access Control Lists page to enable these fields.
Note If you want to edit a rule, click the sequence number of the desired rule to open the Access Control Lists > Rules > Edit page. If you want to delete a rule, hover your cursor over the blue drop-down arrow for the desired rule and choose Remove.
The following are the different options to choose for access before authentication:
- Allow HTTPs traffic only before authentication and block all the traffic:
– To do this, click the sequence number whose Source Port or Dest Port has the value HTTPs. The Access Control Lists > Rules > Edit page appears and you can select Permit from the Action drop-down list and click Apply.
- Allow all the traffic before authentication and intercept HTTP only.
– To intercept HTTP, click the sequence number whose Source Port or Dest Port has the value HTTP. The Access Control Lists > Rules > Edit page appears and you can select Deny from the Action drop-down list and click Apply.
Step 9 Click Save Configuration to save your changes.
Step 10 Repeat this procedure to add any additional ACLs.
Configuring WLAN for Web Passthrough Authentication
For providing network access to the customers, you need to configure WLAN on the Cisco Wireless LAN Controller (WLC). For this you need to set up the Web Passthrough on the layer three security of WLAN for CMX Visitor Connect.
To configure Web Passthrough configuration, follow these steps:
Step 1 Choose WLANs to open the WLANs page from the Controller UI.
Step 2 Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3 Choose Security > Layer 2 tab.
Step 4 From the Layer 2 Security drop-down list, choose None.
Step 5 Click Apply.
Step 6 Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page.
Step 7 Select Web Policy from the Layer 3 Security drop-down list.
Step 8 For web passthrough, choose Passthrough radio button.
Step 9 To override global authentication configuration web authentication pages, select the Over-ride Global Config check box.
Step 10 To define the web authentication pages for wireless guest users, choose External(Re-direct to external server) from the Web Auth type drop-down list. This redirects clients to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.
Step 11 Enter the URL Facebook Wi-Fi page in the URL text box. The external redirection URL should point to the portal on MSE for Facebook Wi-Fi. For example, you can enter:
Note If MSE is behind the firewall, you need to modify security rules to allow traffic to 8084 port on MSE. Otherwise splash pages will not be displayed to the visitor.
Step 12 Enable this SSID.
Step 13 Click Apply to commit your changes.
Step 14 Click Save Configuration to save the changes.
Note Visitor Connect redirection requires special configuration on WLC for iOS devices and you can do it using this command: config network web-auth captive-bypass enable.
Pairing a Default Facebook Page
The MSE displays the default Facebook page for those locations that do not have a specific Facebook page pairing or for cases where MSE is unable to locate the client.
To create a default Facebook page, follow these steps:
Step 1 Choose Facebook Wi-Fi from the left sidebar menu.
The Facebook Wi-Fi page appears in the right pane.
Step 2 Click Set in the Default Facebook Page.
The Facebook Wi-Fi Configuration page appears.
Note The Facebook Wi-Fi Configuration page appears only of if you have created a valid Facebook page.
Step 3 Select the appropriate Facebook page from the Select a Page drop-down list. This page is displayed to all the locations that do not have any paired Facebook page.
Step 4 In the Bypass Mode option, you can either select Skip check-in link or Require Wi-Fi code radio button for guest users without a Facebook account.
Step 5 From the Session Length drop-down list, select the length of time your customers will have Wi-Fi after they check-in.
Step 6 Click Okay in the You’ve Set Up Facebook Wi-Fi confirmation dialog box.
Step 7 Switch back to CMX Connect &Engage Dashboard.