Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
10-12
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 10 Cisco Unified Wireless Guest Access Services
WLAN Controller Guest Access
If no specific RADIUS servers have been configured for the guest WLAN:
3.
The controller checks its global RADIUS server configuration settings. Any external RADIUS
servers configured with the option to authenticate “network” users are queried with the guest user
credentials. See
servers configured with the option to authenticate “network” users are queried with the guest user
credentials. See
External Radius Authentication, page 12-38
for a configuration example.
Otherwise, if no RADIUS servers have “network user” checked, and the user has not authenticated
as a result of 1 or 2 above, authentication fails.
as a result of 1 or 2 above, authentication fails.
Note
A RADIUS server can still be used to support network user authentication even if the network user check
box is cleared under the WLC Security > AAA > RADIUS settings. However, to do so, a server must then
be explicitly selected under the Security > AAA Servers settings of a given WLAN. See
box is cleared under the WLC Security > AAA > RADIUS settings. However, to do so, a server must then
be explicitly selected under the Security > AAA Servers settings of a given WLAN. See
External Radius
Authentication, page 12-38
for a configuration example.
External Authentication
WLC and WCS guest account management (lobby ambassador) capabilities can be used only to create
and apply guest user credentials for local authentication on the WLC. However, there may be cases
where an enterprise already has an existing guest management /authentication solution deployed as part
of a wired guest access or NAC solution. If this is the case, the anchor controller/guest WLAN can be
configured to forward web portal authentication to an external RADIUS server, as described in
and apply guest user credentials for local authentication on the WLC. However, there may be cases
where an enterprise already has an existing guest management /authentication solution deployed as part
of a wired guest access or NAC solution. If this is the case, the anchor controller/guest WLAN can be
configured to forward web portal authentication to an external RADIUS server, as described in
The default protocol used by the controller to authenticate web users is Password Authentication
Protocol (PAP). In the event you are authenticating web users to an external AAA server, be sure to
verify the protocols supported by that server. The anchor controller can also be configured to use CHAP
or MD5-CHAP for web authentication. The web auth protocol type is configured under the Controller
configuration settings of the WLC.
Protocol (PAP). In the event you are authenticating web users to an external AAA server, be sure to
verify the protocols supported by that server. The anchor controller can also be configured to use CHAP
or MD5-CHAP for web authentication. The web auth protocol type is configured under the Controller
configuration settings of the WLC.
External Authentication using Cisco Secure ACS and Microsoft User Databases
If a guest access deployment is planning to use a Microsoft user database in conjunction with Cisco ACS
to authenticate guest users, see the following additional Cisco ACS configuration caveats:
to authenticate guest users, see the following additional Cisco ACS configuration caveats:
See specifically the following URL:
Guest Pass-through
Another variation of wireless guest access is to bypass user authentication altogether and allow open
access. However, an enterprise may still need to present an acceptable use policy or disclaimer page to
users before granting access. If this is the case, then a guest WLAN can be configured for web policy
pass through. In this scenario, a guest user is redirected to a portal page containing disclaimer
information. Pass through mode also has an option for a user to enter an e-mail address before connecting
(see
access. However, an enterprise may still need to present an acceptable use policy or disclaimer page to
users before granting access. If this is the case, then a guest WLAN can be configured for web policy
pass through. In this scenario, a guest user is redirected to a portal page containing disclaimer
information. Pass through mode also has an option for a user to enter an e-mail address before connecting
(see
and
for sample pages). See
for
configuration examples.