Re: Guest WLAN showing up as unsecured network on Apple devices macboo

yogesh.gaikwad1 · ‎07-24-2024

Hello,

We have a Guest WLAN setup using webauth + Cisco ISE server with self-registration + sponsor portal on our Cisco WLC 5520 running 8.10.190.0 version.

One of our customers complained that the network isnt safe to connect, due to the fact that he observed a warning on his macbook while trying to connect to our Guest WLAN. Error says "unsecured networks expose all unencrypted network traffic, configure the router to use WPA2/WPA3 personal security type for this network"

On our WLC in the WLAN settings the layer2 security is set to none, because that is how the Guest sponsor portal is setup as per Cisco documentation.

Thus, question is how to get rid of the warning message shown on some clients that the Guest WLAN SSID is unsecure without enabling the layer 2 security?

Or it is mandatory to enable the layer 2 security to get rid of the message, if yes what is the point of having Guest portal using ISE, if layer 2 security is enabled and we need to use PSK?

Please help.

Karsten Iwen · ‎07-24-2024

The message will stay there as long you don't configure encryption for the SSID. Basically you have to possibilities:

1) Tell the guest-user that this is an open WLAN, and he has to make sure to protect his data, for example with a VPN. He should do this anyhow because the WLAN provider can always "spy" on his traffic.

2) Add a passphrase to the WLAN. All guest users need to get this passphrase, which you could print on a sign at the reception desk.

yogesh.gaikwad1 · ‎07-24-2024

I see.

What does this mean practically

2) Add a passphrase to the WLAN. All guest users need to get this passphrase, which you could print on a sign at the reception desk.

Does it mean that I should also configure a PSK, which user will put in first, and then user will further connect to the self registration portal in ISE? if yes, do you have some reference link to some cisco document to show how it is done?

Karsten Iwen · ‎07-24-2024

Exactly, you configure L2 Security to add a WPA2 passphrase/PSK to the WLAN.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wlan_security.html

eglinsky2012 · ‎07-24-2024

I wanted to bring up a third option to see what others think, enabling Enhanced Open (OWE) on the SSID, with caveats (see below). This provides encryption without authentication (just connect, no PSK). Note that it requires AC Wave 2 (ex. 1800/2800/3800/4800 series) or newer APs, and some clients may not support it, especially if their drivers are out of date. Your mileage may vary, so try on a test SSID with various devices before implementing in production.

Do a Ctrl + F and search for Enhanced Open in this guide. There are different sections for information and configuration: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wlan_security.html

Here's the corresponding guide for 9800 WLCs, OWE section: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/wpa3-dg.html#OWE

Disclaimer, this is not something I have used in production personally. I just tried enabling it on a test SSID on both our AireOS and 9800 WLCs and an up to date iPhone still reports that it's an unsecure network (despite the WLC reporting that it is in fact using OWE -- perhaps something Apple should fix), and an old out-of-date Android cannot connect at all. Has anyone tested other devices to see if any warnings about an unsecured network go away?

Rich R · ‎07-28-2024

Exactly what I was going to suggest. Just to add - this is using WPA3.
I haven't done enough testing to comment myself on the insecure message - or at least wasn't paying attention to it - will do when I get a chance.

@yogesh.gaikwad1 open public networks (hotspots) are unencrypted by default and until every device supports WPA3 with OWE or 802.1x with Passpoint or Openroaming then they will remain that way.
Remember (almost) everything we do on the internet today is already highly encrypted (that's what https with TLS v1.3 does) so even if somebody captured the traffic it wouldn't be much use to them. Using a VPN adds an extra layer of security to that. If somebody is concerned about security then they should already be using a VPN when connecting to any network they don't own themselves, regardless of whether the wireless is encrypted or not.

Note that OWE (encryption) is mandatory in the 6 GHz band (WiFi 6E and WiFi 7) for "open" networks so no unencrypted SSIDs allowed.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Guest WLAN showing up as unsecured network on Apple devices macbook