Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
3
Replies

A guest network for known guests - Help Please!

OldBrompton
Level 1
Level 1

‎10-19-2012 08:52 AM - edited ‎07-03-2021 10:52 PM

We currently have several 1200 series access points set up providing connections to our LAN via a non-broadcast SSID and using IAS for RADIUS authentication.

We want to provide public/guest our users' personal devices to allow internet access only, via our Websense web filter. We need to authenticate them against their domain accounts before allowing them access to the internet via the VLAN restricting access to the Websense web filter. They should be able to set up their wireless connection on their devices just the once (with minimal assistance/intervention from IT support).

I have tried setting up a Guest SSID authenticating using a different Windows server running IAS for RADIUS authentication, but it doesn't seem to be the right solution. Most notably because I cannot authenticate BB devices as they require preinstallation of a certificate which we will not be able to do for all our users.

Can anyone advise?

Labels:
0 Helpful
3 Replies 3

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-19-2012 09:32 AM

Is it the WebSense box that requires the authentication?

if it's not, I would just go with a PSK, that way not every device will take up and address.  Everything should support the PSK, so minimal config for the user, and WebSense should still be in the path.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

OldBrompton
Level 1
Level 1
In response to Stephen Rodriguez

‎10-19-2012 10:34 AM

Thank you Stephen for your quick response.

Unfortunately, just a PSK will not do as we need to be able to disable users from time to time without affecting other users. The ability to authenticate (and hence identify web usage) at the WebSense box would be desirable.

0 Helpful

Damon Garner
Cisco Employee
Cisco Employee
In response to OldBrompton

‎10-19-2012 08:30 PM

You could probably setup the wlan to be layer3 webauth and have the IAS authenticate the users this way. This will require the users to open a web browser in order to get authenticated.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

The other way I know of is to add something like an ISE server that can use MAC address for identifying and profiling.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml

Remember to mark questions as answered

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card