Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Guest Access
All mobility peers should be configured for hierarchical mobility architecture.
For Guest Controller Mobility Anchor configuration on WLAN is must on Mobility Agent and Guest Controller.
Guest Access can be a 3 box solution or 2 box solution. The mobility tunnel link status should be up between:
Mobility Agent, Mobility Controller and Guest Controller.
or
Mobility Agent/Mobility Controller and Guest Controller
Restrictions for Guess Access
Guest Controller functionality is not supported
on the Catalyst 3850 switch whereas Catalyst 3850 can act as mobility agent.
Information about Wireless Guest Access
Ideally, the implementation of a wireless guest network uses as much of an enterprise’s existing wireless and wired infrastructure as possible to avoid the cost and complexity of building a physical overlay network. Assuming this is the case, the following additional elements and functions are needed:
A dedicated guest WLAN/SSID—Implemented throughout the campus wireless network wherever guest access is required. A guest WLAN is identified by a WLAN with
mobility anchor (Guest Controller) configured.
Guest traffic segregation—Requires implementing Layer 2 or Layer 3 techniques across the campus network to restrict where guests are allowed to go.
Access control—Involves using imbedded access control functionality within the campus network or implementing an external platform to control guest access to the Internet from the enterprise network.
Guest user credential management—A process by which a sponsor or lobby administrator can create temporary credentials in behalf of a guest. This function might be resident within an access control platform or it might be a component of AAA or some other management system.
Fast Secure Roaming
Fast secure roaming can be achieved by caching the Pairwise Master Key (PMK) information for Cisco Centralized Key Management (CCKM), 802.11r and 802.11i clients. Cisco Centralized Key Management (CCKM) helps to improve roaming.
Only the client can initiate the roaming process, which depends on
factors such as:
Overlap between APs
Distance between APs
Channel, signal strength, and load on the AP
Data rates and output power
Whenever a fast-roaming client 802.11i, [CCKM]) roams to a new device, after fast-roaming the clients go through mobility "handoff" procedure. And new AAA attributes learned through mobility "handoff" procedure get re-applied.
Full L2 authentication must be avoided during roaming if the client uses the 802.11i WPA2, CCKM, 802.11r to achieve the full requirements of fast secure roaming. The PMK cache (802.11i, CCKM, and 802.11r) is used to authenticate and derive the keys for roaming clients to avoid full L2 authentication. This requires all Mobility Anchors (MA) and Mobility Controllers (MC) in the mobility group to have the same PMK cache values.
The session timeout defines when a PMK cache will expire. A PMK cache can also be deleted when a client fails to re-authenticate or when it is manually deleted them from the CLI. The deletion on the original controller or switch shall be propagated to other controllers or switches in the same mobility group.
Creates a password for the lobby administrator account.
Step 5
end
Example:
Switch (config-user-name)# end
Returns to privileged EXEC mode.
Step 6
show running-config | sectionuser-name (or) show running-config | sectionconfigured lobby admin username
Example:
Switch # show running-config | section lobby
Displays the configuration details.
Configuring Guest User Accounts
SUMMARY STEPS
1.
configure terminal
2.
user-name user-name
3.passwordunencrypted/hidden-passwordpassword
4.type network-user descriptiondescriptionguest-user lifetime
year 0-1 month0-11 day0-30 hour0-23 minute0-59second0-59
5.end
6.show aaa local netuser all
7.show running-config | sectionuser-name
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Example:
Switch # configure terminal
Enters global configuration mode.
Step 2
user-name user-name
Example:
Switch (config)# user-name guest
Creates a username for the lobby ambassador account.
Step 3
passwordunencrypted/hidden-passwordpassword
Example:
Switch (config-user-name)# password 0 guest
Specifies the password for the user.
Step 4
type network-user descriptiondescriptionguest-user lifetime
year 0-1 month0-11 day0-30 hour0-23 minute0-59second0-59
Example:
Switch (config-user-name)# type network-user description guest guest-user lifetime
year 1 month 10 day 3 hour 1 minute 5 second 30
Specifies the type of user.
Step 5
end
Example:
Switch (config-user-name)# end
Returns to privileged EXEC mode.
Step 6
show aaa local netuser all
Example:
Switch # show aaa local netuser all
Displays the configuration details. After the lifetime, the user-name with guest type will be deleted and the client associated with the guest user-name will be de-authenticated.
Configures the Mobility Controller to which the MA will be associated.
Step 3
wlanwlan-namewlan-idssid
Example:
Switch (config) # wlan mywlan 34 mywlan-ssid
For wlan-name enter, enter the profile name. The range is 1- 32 characters.
For wlan-id, enter the WLAN ID. The range is 1-512.
For ssid, enter the Service Set IDentifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Step 4
client vlan idvlan-group name/vlan-id
Example:
Switch (config-wlan) # client vlan VLAN0136
Configures the VLAN id or group of the WLAN.
Step 5
no security wpa
Example:
Switch (config-wlan) # no security wpa
The security configuration must be the same for the WLAN created on the GC. This example is for open authentication.
For other security types such as open and webauth, appropriate command should be provided.
Step 6
mobility anchor ipaddress
Example:
Switch (config-wlan) # mobility anchor 9.3.32.2
Configures the Guest Controller as mobility anchor.
Step 7
aaa-override
Example:
Switch (config-wlan) # aaa-override
(Optional) Enables AAA override. AAA override is required for non open authentication in case AAA
attributes are to be prioritized.
It is required only in case guest user need to be deauthenticated after lifetime or have to give aaa-override attribute to the user.
Step 8
no shutdown
Example:
Switch(config-wlan) # no shutdown
Enables the WLAN.
Step 9
end
Example:
Switch (config) # end
Returns to privileged EXEC mode.
Step 10
show wireless mobility summary
Example:
Switch # show wireless mobility summary
Verifies the mobility controller IP address and mobility tunnel status.
Step 11
show wlan namewlan-name/id
Example:
Switch # show wlan name mywlan
Displays the configuration of mobility anchor.
Configuring Mobility
Controller
Mobility Controller
mode should be enabled using the
wireless mobility
controller command.
SUMMARY STEPS
1. configure terminal
2. wireless mobility group member ipip-addresspublic-ipip-addressgroupgroup-name
Allows you to specify the filename for web authentication customized login success page.
Step 7
end
Example:
Switch (config-params-parameter-map)# end
Returns to privileged EXEC mode.
Step 8
show running-config | section parameter-map type webauthparameter-map
Example:
Switch (config) # show running-config | section parameter-map type webauth test
Displays the configuration details.
Configuring AAA-Override
SUMMARY STEPS
1.
configure terminal
2.wlanwlan-name
3.
aaa-override
4.end
5.
show running-config | section wlan-name
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Example:
Switch # configure terminal
Enters global configuration mode.
Step 2
wlanwlan-name
Example:
Switch (config) # wlan ramban
For wlan-name, enter the profile name. The range is 1- 32 characters.
Step 3
aaa-override
Example:
Switch (config-wlan) # aaa-override
Enables AAA override on the WLAN.
Step 4
end
Example:
Switch (config-wlan) # end
Returns to privileged EXEC mode.
Step 5
show running-config | section wlan-name
Example:
Switch # show running-config | section ramban
Displays the configuration details.
Configuring Client Load Balancing
SUMMARY STEPS
1. configure terminal
2.wlan wlan-name
3.shutdown
4.mobility anchor ip-address1
5.mobility anchorip-address2
6.no shutdown wlan
7.end
8.show running-config | section wlan-name
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Example:
Switch # configure terminal
Enters global configuration mode.
Step 2
wlan wlan-name
Example:
Switch (config)# wlan ramban
For wlan-name, enter the profile name.
Step 3
shutdown
Example:
Switch (config-wlan)# shutdown
Disables WLAN.
Step 4
mobility anchor ip-address1
Example:
Switch (config-wlan) # mobility anchor 9.7.136.15
Configures a guest controller as mobility anchor.
Step 5
mobility anchorip-address2
Example:
Switch (config-wlan) # mobility anchor 9.7.136.16
Configures a guest controller as mobility anchor.
Step 6
no shutdown wlan
Example:
Switch (config-wlan) # no shutdown wlan
Enables the WLAN.
Step 7
end
Example:
Switch (config-wlan) # end
Returns to privileged EXEC mode.
Step 8
show running-config | section wlan-name
Example:
Switch # show running-config | section ramban
Displays the configuration details.
Configuring Preauthentication ACL
SUMMARY STEPS
1.configure terminal
2.wlan wlan-name
3.shutdown
4.
ip access-group web preauthrule
5.no shutdown
6.end
7.
show wlan name wlan-name
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlan wlan-name
Example:
Switch (config)# wlan ramban
For wlan-name, enter the profile name.
Step 3
shutdown
Example:
Switch (config-wlan)# shutdown
Disables the WLAN.
Step 4
ip access-group web preauthrule
Example:
Switch (config-wlan)# ip access-group web preauthrule
Configures ACL that has to be applied before authentication.
Step 5
no shutdown
Example:
Switch (config)# no shutdown
Enables the WLAN.
Step 6
end
Example:
Switch (config-wlan)# end
Returns to privileged EXEC mode.
Step 7
show wlan name wlan-name
Example:
Switch# show wlan name ramban
Displays the configuration details.
Configuring IOS ACL Definition
SUMMARY STEPS
1.
configure terminal
2.ip access-list extendedaccess-list number
3.permit udp any eq port number any
4.end
5.
show access-lists ACL number
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Example:
Switch # configure terminal
Enters global configuration mode.
Step 2
ip access-list extendedaccess-list number
Example:
Switch (config) # ip access-list extended 102
Configures extended IP access-list.
Step 3
permit udp any eq port number any
Example:
Switch (config-ext-nacl) # permit udp any eq 8080 any
Configures destination host.
Step 4
end
Example:
Switch (config-wlan) # end
Returns to privileged EXEC mode.
Step 5
show access-lists ACL number
Example:
Switch # show access-lists 102
Displays the configuration details.
Configuring Webpassthrough
SUMMARY STEPS
1.configure terminal
2.parameter-map type webauthparameter-map name
3.type consent
4.end
5.show running-config | section parameter-map type webauth parameter-map
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Example:
Switch # configure terminal
Enters global configuration mode.
Step 2
parameter-map type webauthparameter-map name
Example:
Switch (config) # parameter-map type webauth webparalocal
Configures the webauth type parameter.
Step 3
type consent
Example:
Switch (config-params-parameter-map) # type consent
Configures webauth type as consent.
Step 4
end
Example:
Switch (config-params-parameter-map) # end
Returns to privileged EXEC mode.
Step 5
show running-config | section parameter-map type webauth parameter-map
Example:
Switch (config) # show running-config | section parameter-map type webauth test
Displays the configuration details.
Configuration Examples for Guest Access
Example: Creating a Lobby Ambassador Account
This example shows how to configure a lobby ambassador account.
Switch# configure terminalSwitch(config)# user-name lobbySwitch(config)# type lobby-adminSwitch(config)# password 0 lobbySwitch(config)# endSwitch# show running-config | section lobby
user-name lobby
creation-time 1351118727
password 0 lobby
type lobby-admin
Example: Obtaining Web Authentication Certificate
This example shows how to obtain web authentication certificate.
Switch# configure terminalSwitch(config)# crypto pki import cert pkcs12 tftp://9.1.0.100/ldapserver-cert.p12 ciscoSwitch(config)# endSwitch# show crypto pki trustpoints cert
Trustpoint cert:
Subject Name:
e=rkannajr@cisco.com
cn=sthaliya-lnx
ou=WNBU
o=Cisco
l=SanJose
st=California
c=US
Serial Number (hex): 00
Certificate configured.
Switch# show crypto pki certificates cert
Certificate
Status: Available
Certificate Serial Number (hex): 04
Certificate Usage: General Purpose
Issuer:
e=rkannajr@cisco.com
cn=sthaliya-lnx
ou=WNBU
o=Cisco
l=SanJose
st=California
c=US
Subject:
Name: ldapserver
e=rkannajr@cisco.com
cn=ldapserver
ou=WNBU
o=Cisco
st=California
c=US
Validity Date:
start date: 07:35:23 UTC Jan 31 2012
end date: 07:35:23 UTC Jan 28 2022
Associated Trustpoints: cert ldap12
Storage: nvram:rkannajrcisc#4.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 00
Certificate Usage: General Purpose
Issuer:
e=rkannajr@cisco.com
cn=sthaliya-lnx
ou=WNBU
o=Cisco
l=SanJose
st=California
c=US
Subject:
e=rkannajr@cisco.com
cn=sthaliya-lnx
ou=WNBU
o=Cisco
l=SanJose
st=California
c=US
Validity Date:
start date: 07:27:56 UTC Jan 31 2012
end date: 07:27:56 UTC Jan 28 2022
Associated Trustpoints: cert ldap12 ldap
Storage: nvram:rkannajrcisc#0CA.cer
Example: Displaying a Web Authentication Certificate
This example shows how to display a web authentication certificate.
Switch# show crypto ca certificate verb
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2A9636AC00000000858B
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: WS-C3780-6DS-S-2037064C0E80
Serial Number: PID:WS-C3780-6DS-S SN:FOC1534X12Q
cn=WS-C3780-6DS-S-2037064C0E80
serialNumber=PID:WS-C3780-6DS-S SN:FOC1534X12Q
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 15:43:22 UTC Aug 21 2011
end date: 15:53:22 UTC Aug 21 2021
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: A310B856 A41565F1 1D9410B5 7284CB21
Fingerprint SHA1: 04F180F6 CA1A67AF 9D7F561A 2BB397A1 0F5EB3C9
X509v3 extensions:
X509v3 Key Usage: F0000000
Digital Signature
Non Repudiation
Key Encipherment
Data Encipherment
X509v3 Subject Key ID: B9EEB123 5A3764B4 5E9C54A7 46E6EECA 02D283F7
X509v3 Authority Key ID: D0C52226 AB4F4660 ECAE0591 C7DC5AD1 B047F76C
Authority Info Access:
Associated Trustpoints: CISCO_IDEVID_SUDI
Key Label: CISCO_IDEVID_SUDI
Example: Configuring Guest User Accounts
This example shows how to configure a guest user account.
Switch# configure terminalSwitch(config)# user-name guestSwitch(config-user-name)# password 0 guestSwitch(config-user-name)# type network-user description guest guest-user lifetime year 1 month 10 day 3 hour 1 minute 5 second 30Switch(config-user-name)# endSwitch# show aaa local netuser all
User-Name : guest
Type : guest
Password : guest
Is_passwd_encrypted : No
Descriptio : guest
Attribute-List : Not-Configured
First-Login-Time : Not-Logged-In
Num-Login : 0
Lifetime : 1 years 10 months 3 days 1 hours 5 mins 30 secs
Start-Time : 20:47:37 chennai Dec 21 2012
Example: Configuring Mobility Controller
This example shows how to configure a mobility controller.
Switch# configure terminalSwitch(config)# wireless mobility group member ip 27.0.0.1 public-ip 23.0.0.1 group testSwitch(config)# wireless mobility controller peer-group pgSwitch(config)# wireless mobility controller peer-group pg member ip 9.7.136.10 public-ip 9.7.136.10Switch(config)# endSwitch# show wireless mobility summary
Mobility Controller Summary:
Mobility Role : Mobility Controller
Mobility Protocol Port : 16666
Mobility Group Name : default
Mobility Oracle : Enabled
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0xac34
Mobility Keepalive Interval : 10
Mobility Keepalive Count : 3
Mobility Control Message DSCP Value : 7
Mobility Domain Member Count : 3
Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP Public IP Group Name Multicast IP Link Status
-------------------------------------------------------------------------------
9.9.9.2 - default 0.0.0.0 UP : UP
12.12.11.11 12.13.12.12 rasagna-grp DOWN : DOWN
27.0.0.1 23.0.0.1 test DOWN : DOWN
Switch Peer Group Name : spg1
Switch Peer Group Member Count : 0
Bridge Domain ID : 0
Multicast IP Address : 0.0.0.0
Switch Peer Group Name : pg
Switch Peer Group Member Count : 1
Bridge Domain ID : 0
Multicast IP Address : 0.0.0.0
IP Public IP Link Status
--------------------------------------------------
9.7.136.10 9.7.136.10 DOWN : DOWN
Example: Choosing the Default Web Authentication Login Page
This example shows how to choose a default web authentication login page.
Switch# configure terminalSwitch(config)# parameter-map type webauth test
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will
disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding.
Do you wish to continue? [yes]: yes
Switch(config)# wlan wlan50Switch(config-wlan)# shutdownSwitch(config-wlan)# security web-auth authentication-list testSwitch(config-wlan)# security web-auth parameter-map testSwitch(config-wlan)# no shutdownSwitch(config-wlan)# endSwitch# show running-config | section wlan50
wlan wlan50 50 wlan50
security wpa akm cckm
security wpa wpa1
security wpa wpa1 ciphers aes
security wpa wpa1 ciphers tkip
security web-auth authentication-list test
security web-auth parameter-map test
session-timeout 1800
no shutdown
Switch# show running-config | section parameter-map type webauth test
parameter-map type webauth test
type webauth
Example: Choosing a Customized Web Authentication Login Page from an External Web Server
This example shows how to choose a customized web authentication login page from an external web server.
Switch# configure terminalSwitch(config)# parameter-map type webauth globalSwitch(config-params-parameter-map)# virtual-ip ipv4 1.1.1.1Switch(config-params-parameter-map)# parameter-map type webauth testSwitch(config-params-parameter-map)# type webauthSwitch(config-params-parameter-map)# redirect for-login http://9.1.0.100/login.htmlSwitch(config-params-parameter-map)# redirect portal ipv4 23.0.0.1Switch(config-params-parameter-map)# endSwitch# show running-config | section parameter-map
parameter-map type webauth global
virtual-ip ipv4 1.1.1.1
parameter-map type webauth test
type webauth
redirect for-login http://9.1.0.100/login.html
redirect portal ipv4 23.0.0.1
security web-auth parameter-map rasagna-auth-map
security web-auth parameter-map test
Example: Assigning Login, Login Failure, and Logout Pages per WLAN
This example shows how to assign login, login failure and logout pages per WLAN.
Switch# configure terminalSwitch(config)# parameter-map type webauth testSwitch(config-params-parameter-map)# custom-page login device flash:loginsantosh.htmlSwitch(config-params-parameter-map)# custom-page login expired device flash:loginexpire.htmlSwitch(config-params-parameter-map)# custom-page failure device flash:loginfail.htmlSwitch(config-params-parameter-map)# custom-page success device flash:loginsucess.htmlSwitch(config-params-parameter-map)# endSwitch# show running-config | section parameter-map type webauth test
parameter-map type webauth test
type webauth
redirect for-login http://9.1.0.100/login.html
redirect portal ipv4 23.0.0.1
custom-page login device flash:loginsantosh.html
custom-page success device flash:loginsucess.html
custom-page failure device flash:loginfail.html
custom-page login expired device flash:loginexpire.html
This example shows how to configure preauthentication ACL.
Switch# configure terminalSwitch(config)# wlan fffSwitch(config-wlan)# shutdownSwitch(config-wlan)# ip access-group web preauthruleSwitch(config-wlan)# no shutdownSwitch(config-wlan)# endSwitch# show wlan name fff
Example: Configuring IOS ACL Definition
This example shows how to configure IOS ACL definition.
Switch# configure terminalSwitch(config)# ip access-list extended 102Switch(config-ext-nacl)# permit udp any eq 8080 anySwitch(config-ext-nacl)# endSwitch# show access-lists 102
Extended IP access list 102
10 permit udp any eq 8080 any
Example: Configuring Webpassthrough
This example shows how to configure webpassthrough.
Switch# configure terminalSwitch(config)# parameter-map type webauth webparalocalSwitch(config-params-parameter-map)# type consentSwitch(config-params-parameter-map)# endSwitch# show running-config | section parameter-map type webauth test
parameter-map type webauth test
type webauth
redirect for-login http://9.1.0.100/login.html
redirect portal ipv4 23.0.0.1
The Cisco
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
To receive
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to
most tools on the Cisco Support website requires a Cisco.com user ID and
password.