Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
8
Helpful
4
Replies

Guest Access - Layer 2 security WPA PSK - Layer 3 security web auth

mark.cronin
Level 2
Level 2

‎01-29-2009 05:22 AM - edited ‎07-03-2021 05:04 PM

I am not able to test this.

Has anybody configured the CUWN guest access with WPA PSK layer 2 and Web authentication layer 3

If so are there any problems that I should expect

Mark

Labels:
0 Helpful
4 Replies 4

Scott Fella
Hall of Fame
Hall of Fame

‎01-29-2009 05:39 AM

There isn't any issue doing that, but if you are going to do this for guest access then you should probably keep it open and use webauth to allow guest access. You don't want to be responsible to setup non-employee devices and you don't want to take on the responsibility of something going wrong with their equipment. Now if you want to use it for internal use, then I guess it is okay, but it defeats the purpose of single sign on.

-Scott
*** Please rate helpful posts ***

mark.cronin
Level 2
Level 2
In response to Scott Fella

‎01-29-2009 05:55 AM

Fella

Thanks, our security team are not keen on people just being able to associate with the LWAPs and getting an IP address from the WLC DHCP pool. I know there is not much that the wireless client can do until it web authenticates but it is deemed as a security risk.

So I am going to propose dual authentication WPA-PSK (we will change the key on a monthly basis) and when they associate use the web authentication using the username and password created by the lobby ambassador feature.

On a side note:- If you only use web policy but the client does not associate - does the client get dis-associated after 5mins and does the DHCP entry on the WLC get removed from the DHCP data base.

Thanks

Mark

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to mark.cronin

‎01-29-2009 06:10 AM

Mark,

I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.

Hope this helps.

-Scott
*** Please rate helpful posts ***

mark.cronin
Level 2
Level 2
In response to Scott Fella

‎01-29-2009 06:14 AM

Fella

Thanks , I will see what our security team comes up with.

Many thanks

Mark

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card