Cisco Cisco Aironet 1140 Access Point Prospecto

Web authentication is a Layer 3 (L3) security feature that enables the autonomous APs to block IP traffic
(except DHCP and Domain Name Server (DNS)−related packets) until the guest provides a valid username
and password in the web portal to which the client is redirected when a browser is opened.

With web authentication, a separate username and password must be defined for each guest. The guest is
authenticated with the username and password either by the local RADIUS server or an external RADIUS
server.

This feature was introduced in Cisco IOS Release 15.2(4)JA1.  

Note: This document assumes that Bridge Virtual Interface (BVI) 1 on the AP has an IP address of
192.168.10.2 /24, and that the DHCP pool is defined internally on the AP for IP addresses 192.168.10.10
through 192.168.10.254 (IP addresses 192.168.10.1 through 192.168.10.10 are excluded).

Complete these steps in order to configure the AP for guest access:

Add a new Service Set Identifier (SSID) , name it Guest, and configure it for web authentication:

ap(config)#dot11 ssid Guest

ap(config−ssid)#authentication open

ap(config−ssid)#web−auth

ap(config−ssid)#guest−mode

ap(config−ssid)#exit

1. 

Create an authentication rule, where you must specify the proxy authentication protocol, and name it
web_auth:

ap(config)#ip admission name web_auth proxy http

2. 

Apply the SSID (Guest) and the authentication rule (web_auth) to the radio interface. This example
uses 802.11b/g radio:

ap(config)#interface dot11radio 0

ap(config−if)#ssid Guest

ap(config−if)#ip admission web_auth

3.