Solved: Guest SSID Showing Security None on Client Devices

rahulnaik · ‎09-24-2025

Hi Community,

I have configured Local Web Authentication on our Cisco 9800 WLC for the Guest SSID. However, when users connect to the Guest SSID, the client device is displaying the security type as “None”.

Please find the attached snapshot for your reference. Could you kindly confirm if this behavior is expected with Local Web Authentication, or provide any reference documentation to validate the same?

Looking forward to your guidance.

ammahend · ‎09-25-2025

Webauth is for authentication,it itself does not inherently encrypt wireless traffic, what you are seeing is expected behavior. If the infrastructure supports then explore using OWE.

-hope this helps-

View solution in original post

Mark Elsen · ‎09-24-2025

- @rahulnaik That is being reported with bare 'Local Web Authentication' with no other security protocols being involved ; to have added security options take a look at :
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_pol_guest_foreign_vewlc.html#config-guest-acc-sec-method

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

ammahend · ‎09-25-2025

Webauth is for authentication,it itself does not inherently encrypt wireless traffic, what you are seeing is expected behavior. If the infrastructure supports then explore using OWE.

-hope this helps-

Rich R · ‎09-27-2025

When you say Guest SSID I presume you mean Open SSID @rahulnaik ?

That means no encryption - by definition, by design. The wireless traffic is sent in the clear - user traffic should be secured with https and/or VPN.

As @ammahend says WPA3 addresses this with OWE for "open" SSIDs. It's not as secure as full WPA3 but once the connection is negotiated all the wireless traffic is encrypted. In fact OWE is mandatory for open SSIDs in WiFi 6E (on 6GHz) and WiFi 7.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/wpa3-dg.html#OWE

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390