Solved: Guest Wireless - Multiple Authentication Methods

CC Estelle · ‎10-11-2016

Today, I have a guest network, which is set to authenticate via web-auth. Is it possible to have 1 SSID for both Guest (external users) and Internal users? Meaning, for the guest/external users, they'll connect via web-auth using a local account that lobby admin sets up for them. For internal users, I'd have them authenticate via radius which ties to active directory.

I'm thinking I'll need two separate SSIDs.

Any other suggestions on how to make it work with one SSID would be helpful

Ric Beeching · ‎10-11-2016

This is something I've also had issues with too.The only way I can see it working is instead of having a web-auth portal, you instead create your guest accounts in AD and hand the usernames/passwords out to your guests. You can't have WPA2-Enterprise running with web-auth because there's nowhere for the clients/server to negotiate that 802.1X component.

One other option I was toying with which I'm not 100% on is having WPA2-Enterprise doing EAP-FAST to the local WLC which could then do the same thing, a local db lookup with AD fallback.

I haven't tested that first part to see if it is feasible so it's just an idea at this point!

Ric

-----------------------------
Please rate helpful / correct posts

View solution in original post

Ric Beeching · ‎10-11-2016

Hi,

You can have that setup as long as you are ok using the same web-auth portal to do your internal users. You can tell the WLC to authenticate against its local db where the guest accounts are stored and, if that is not successful, it will send the request to your RADIUS server.

That will require you to use the same security as the web-auth portal however, meaning at best it will be a pre-shared key or at worst it will be open authentication.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

CC Estelle · ‎10-11-2016

Thanks Ric. I was thinking that would work, but I really don't want my employees to have to go the web-auth portal page.

Is it possible to do the same without the web-auth portal page, maybe using WPA2 Enterprise? Have local database and if not successful, send it to radius?

I wouldn't want to do this, as it would be annoying for my visitors to setup, just wondering if it's possible

Ric Beeching · ‎10-11-2016

This is something I've also had issues with too.The only way I can see it working is instead of having a web-auth portal, you instead create your guest accounts in AD and hand the usernames/passwords out to your guests. You can't have WPA2-Enterprise running with web-auth because there's nowhere for the clients/server to negotiate that 802.1X component.

One other option I was toying with which I'm not 100% on is having WPA2-Enterprise doing EAP-FAST to the local WLC which could then do the same thing, a local db lookup with AD fallback.

I haven't tested that first part to see if it is feasible so it's just an idea at this point!

Ric

-----------------------------
Please rate helpful / correct posts

CC Estelle · ‎10-11-2016

exactly what I was thinking. WPA2-Enterprise with local db lookup with AD failback.

I'll probably just need to create a new SSID, as it's easiest for guests to not have to configure their clients.