cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
212
Views
0
Helpful
3
Replies
Highlighted
Beginner

A guest network for known guests - Help Please!

We currently have several 1200 series access points set up providing connections to our LAN via a non-broadcast SSID and using IAS for RADIUS authentication.

We want to provide public/guest our users' personal devices to allow internet access only, via our Websense web filter. We need to authenticate them against their domain accounts before allowing them access to the internet via the VLAN restricting access to the Websense web filter. They should be able to set up their wireless connection on their devices just the once (with minimal assistance/intervention from IT support).

I have tried setting up a Guest SSID authenticating using a different Windows server running IAS for RADIUS authentication, but it doesn't seem to be the right solution. Most notably because I cannot authenticate BB devices as they require preinstallation of a certificate which we will not be able to do for all our users.

Can anyone advise?

3 REPLIES 3
Highlighted

Is it the WebSense box that requires the authentication?

if it's not, I would just go with a PSK, that way not every device will take up and address.  Everything should support the PSK, so minimal config for the user, and WebSense should still be in the path.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Highlighted

Thank you Stephen for your quick response.

Unfortunately, just a PSK will not do as we need to be able to disable users from time to time without affecting other users. The ability to authenticate (and hence identify web usage) at the WebSense box would be desirable.

Highlighted

You could probably setup the wlan to be layer3 webauth and have the IAS authenticate the users this way. This will require the users to open a web browser in order to get authenticated.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

The other way I know of is to add something like an ISE server that can use MAC address for identifying and profiling.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml

Remember to mark questions as answered

Content for Community-Ad