Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
10-11
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 10 Cisco Unified Wireless Guest Access Services
WLAN Controller Guest Access
Note
The Lifetime variable associated with guest credentials is independent of the WLAN session timeout
variable. If a user remains connected beyond the WLAN session timeout interval, they are
de-authenticated. The user is then redirected to the web portal and, assuming their credentials have not
expired, must log back in to regain access. To avoid annoying redirects for authentication, the guest
WLAN session timeout variable should be set appropriately.
variable. If a user remains connected beyond the WLAN session timeout interval, they are
de-authenticated. The user is then redirected to the web portal and, assuming their credentials have not
expired, must log back in to regain access. To avoid annoying redirects for authentication, the guest
WLAN session timeout variable should be set appropriately.
Local Controller Lobby Admin Access
In the event that a centralized WCS management system is not deployed or unavailable, a network
administrator can establish a local admin account on the anchor controller, which has only lobby admin
privileges. A person who logs in to the controller using the lobby admin account has access to guest user
management functions. Configuration options available for local guest management are limited in
contrast to the capabilities available through WCS, and include the following:
administrator can establish a local admin account on the anchor controller, which has only lobby admin
privileges. A person who logs in to the controller using the lobby admin account has access to guest user
management functions. Configuration options available for local guest management are limited in
contrast to the capabilities available through WCS, and include the following:
•
User name
•
Generate password (check box)
•
Administrator-assigned password
•
Confirm the password
•
Lifetime—days:hours:minutes:seconds
•
SSID (check box)
•
Only WLANs configured for Layer 3 web policy authentication are displayed
•
Description
Any credentials that may have been applied to the controller by WCS are shown when an admin logs
into the controller. A local lobby admin account has privileges to modify or delete any guest credentials
that were previously created by WCS. Guest credentials that are created locally on the WLC do not
automatically appear in WCS unless the controller’s configuration is updated/refreshed in WCS. Locally
created guest credentials that are imported into WCS as a result of a WLC configuration refresh appear
as a new guest template that can be edited and re-applied to the WLC.
into the controller. A local lobby admin account has privileges to modify or delete any guest credentials
that were previously created by WCS. Guest credentials that are created locally on the WLC do not
automatically appear in WCS unless the controller’s configuration is updated/refreshed in WCS. Locally
created guest credentials that are imported into WCS as a result of a WLC configuration refresh appear
as a new guest template that can be edited and re-applied to the WLC.
Guest User Authentication
As previously discussed in
, when an administrator uses
WCS or a local account on a controller to create guest user credentials, those credentials are stored
locally on the controller, which in the case of a centralized guest access topology, would be the anchor
controller.
locally on the controller, which in the case of a centralized guest access topology, would be the anchor
controller.
When a wireless guest logs in through the web portal, the controller handles the authentication in the
following order:
following order:
1.
The controller checks its local database for username and password and, if present, grants access.
If no user credentials are found, then:
2.
The controller checks to see if an external RADIUS server has been configured for the guest WLAN
(under WLAN configuration settings). See
(under WLAN configuration settings). See
External Radius Authentication, page 12-38
for a
configuration example. If so, then the controller creates a RADIUS access-request packet with the
user name and password and forwards it to the selected RADIUS server for authentication.
user name and password and forwards it to the selected RADIUS server for authentication.