Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guide De Conception
10-10
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 10 Cisco Unified Wireless Guest Access Services
WLAN Controller Guest Access
•
Resolvable Home Page URL—The home page URL of a guest user must be globally resolvable by
DNS. If a user home page is, for example, an internal company home page that cannot be resolved
outside of their company intranet, that user is not redirected. In this case, the user must open a URL
to a public site such as
DNS. If a user home page is, for example, an internal company home page that cannot be resolved
outside of their company intranet, that user is not redirected. In this case, the user must open a URL
to a public site such as
.
•
HTTP Port 80—If the home page of a user is resolvable, but connects to a web server on a port other
than port 80, they are not redirected. Again, the user is required to open a URL that uses port 80 to
be redirected to the WLC web authentication page.
than port 80, they are not redirected. Again, the user is required to open a URL that uses port 80 to
be redirected to the WLC web authentication page.
Note
In addition to port 80, there is an option to configure one additional port number that the controller can
monitor for redirection.The setting is available only through the CLI of the controller:
<controller_name> config> network web-auth-port <port>.
monitor for redirection.The setting is available only through the CLI of the controller:
<controller_name> config> network web-auth-port <port>.
Guest Credentials Management
Guest credentials can be created and managed centrally using WCS beginning with release 4.0 and later.
A network administrator can create a limited privilege account within WCS that permits lobby
ambassador access for the purpose of creating guest credentials. With such an account, the only function
a lobby ambassador is permitted to do is create and assign guest credentials to controllers that have
web-policy configured WLANs. For configuration guidelines, see
A network administrator can create a limited privilege account within WCS that permits lobby
ambassador access for the purpose of creating guest credentials. With such an account, the only function
a lobby ambassador is permitted to do is create and assign guest credentials to controllers that have
web-policy configured WLANs. For configuration guidelines, see
As with many configuration tasks within WCS, guest credentials are created using templates. Beginning
with release 4.1, the following new guest user template options and capabilities were introduced:
with release 4.1, the following new guest user template options and capabilities were introduced:
•
There are two types of guest templates: one for scheduling immediate guest access with limited or
unlimited lifetime, and the other permits administrators to schedule “future” guest access and offers
time of day as well as day of week access restrictions.
unlimited lifetime, and the other permits administrators to schedule “future” guest access and offers
time of day as well as day of week access restrictions.
•
The solution now offers administrators the ability to e-mail credentials to guest users. Additionally,
when the “schedule” guest template is used, the system automatically e-mails credentials for each
new day (interval) that access is offered.
when the “schedule” guest template is used, the system automatically e-mails credentials for each
new day (interval) that access is offered.
•
Guest credentials can be applied to the WLC(s) based on a (guest) WLAN SSID and WCS mapping
information; campus/building/floor location or based on a WLAN SSID and a specific controller or
list of controllers. The latter method is used when deploying guest access using the guest mobility
anchor method as discussed in this chapter.
information; campus/building/floor location or based on a WLAN SSID and a specific controller or
list of controllers. The latter method is used when deploying guest access using the guest mobility
anchor method as discussed in this chapter.
For further information, see
After a lobby ambassador has created a guest template, it is applied to one or more controllers depending
on the guest access topology. Only controllers with a “web” policy-configured WLAN are listed as a
candidate controller to which the template can be applied. This is also true when applying guest
templates to controllers based on WCS map location criteria.
on the guest access topology. Only controllers with a “web” policy-configured WLAN are listed as a
candidate controller to which the template can be applied. This is also true when applying guest
templates to controllers based on WCS map location criteria.
Guest credentials, once applied, are stored locally on the (anchor) WLC (under Security > Local Net
Users) and remain there until expiration of the “Lifetime” variable as defined in the guest template. If a
wireless guest is associated and active when their credentials expire, the WLC stops forwarding traffic
and returns to the WEBAUTH_REQD policy state for that user. Unless the guest credentials are
re-applied (to the controller), the user is no longer able to access the network.
Users) and remain there until expiration of the “Lifetime” variable as defined in the guest template. If a
wireless guest is associated and active when their credentials expire, the WLC stops forwarding traffic
and returns to the WEBAUTH_REQD policy state for that user. Unless the guest credentials are
re-applied (to the controller), the user is no longer able to access the network.