Solved: Need to setup Public Wifi without a password AP1142AG

dradunsky · ‎01-23-2013

Good Morning,

I am trying to set up Public wifi on my three AP1142AG WAPs. They are configured for WDS and VLAN 1 is our corporate network. VLAN 2 is the public network. All this works just fine.

What I need to do is make the Public WiFi available without a password. (Yes, I know that this is not a recommended or even smart idea. But, the client (a City) is adamant.)

Failing a NO PASSWORD scenario is there a way to make the password short (3 or 4 characters at most).

Thanks for the help.

David Radunsky

Scott Fella · ‎01-23-2013

Well autonomous AP's don't have a guest portal page. You would need to have a WLC if you wanted to do what you mentioned. You might look at some 3rd party hotspot software that is built for guest portal access.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

George Stefanick · ‎01-23-2013

There are free guest portals you might consider..

http://www.untangle.com/store/captive-portal.html

You can provide the customer the software for free and upcharge on the installation.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Stephen Rodriguez · ‎01-23-2013

so let's backup here.

The only requirement you have stated is a free public wifi with no password. This is doable on an aIOS AP. Just remove the WPA/TKIP settings. no encryption, no PSK. done.

Now, if the city wants some sort of AUP, that is a different story.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Scott Fella · ‎01-23-2013

What we are trying to say is you shouldn't use a psk for guest. You should look at something that has a guest portal. So open authentication to a guest portal.

Makes sense?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

George Stefanick · ‎01-23-2013

Let start all over ..

1. What is your business need for the GUEST network

A. Do you require it to be open with no security

B. Do you require a password on the guest network

C. Do you require a guest welcome page

D. Do you need to apply some time of security to the guest wireless

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

George Stefanick · ‎01-23-2013

Well the term "open" is used to mean unencrypted for almost all folks. However "open" authentication has other meanings in 802.11 talk. But that's a different discussion.

Having an open network isnt really a bad thing, so long as you block the correct content. It is crazy they dont want a AUP so the folks know what they are connected to with terms and conditions. But you cant have a encryted network UNLESS you deploy a PSK key or some other time of advanced security like 802.1X. Which adds to tyhe hassle for guest. Lets face it .. You would have to advertise the PSK key and most folks wouldnt know what to do with it anyway.

Sounds to me .. create a open network. Apply your qos and fw rules.

if you find any of this helpful . if you dont mind support the rating system.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Scott Fella · ‎01-23-2013

Well autonomous AP's don't have a guest portal page. You would need to have a WLC if you wanted to do what you mentioned. You might look at some 3rd party hotspot software that is built for guest portal access.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

dradunsky · ‎01-23-2013

Scott,

Thank you for the prompt reply. I was aftraid that was the answer.

The client is not interested (read did not budget) for new APs. So I guess some password will be the answer.

Possibly something shorter than the 14 characters required by WPA.

Thanks, again!

George Stefanick · ‎01-23-2013

There are free guest portals you might consider..

http://www.untangle.com/store/captive-portal.html

You can provide the customer the software for free and upcharge on the installation.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎01-23-2013

Well I guess you can do that but now they will have to support guest user. Like I mentioned, look at some 3rd party software or some open source as that would be the best way to handle it. Using wpa psk isn't really making it a nice easy way to access a guest network.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dradunsky · ‎01-23-2013

Scott / George,

Thank you both. However, I don't see how a 3rd party app would be of help. They can't connect to the AP unless they have the wpa key, so how do they get to the third party application.

Am I missing something?

Thanks, again and again.

Stephen Rodriguez · ‎01-23-2013

so let's backup here.

The only requirement you have stated is a free public wifi with no password. This is doable on an aIOS AP. Just remove the WPA/TKIP settings. no encryption, no PSK. done.

Now, if the city wants some sort of AUP, that is a different story.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

dradunsky · ‎01-23-2013

Steve,

Let me be sure I understand. You said:

The only requirement you have stated is a free public wifi with no password. ->That is correct.

This is doable on an aIOS AP. Just remove the WPA/TKIP settings. -> So this allows any user to connect?

no encryption, no PSK. -> Does this then mean that the transmission between wap and client are not encrypted?

Thanks.

Scott Fella · ‎01-23-2013

What we are trying to say is you shouldn't use a psk for guest. You should look at something that has a guest portal. So open authentication to a guest portal.

Makes sense?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dradunsky · ‎01-23-2013

Scott,

Possibly. I am apprently a bit out of my depth with the whole authentication thing.

When you say "open authentication against a port" would that analgous to using RADIUS server for VPN connections on a firewall?

So how do they connect to the Authentication server without a wireless connection? Or is the connection established UNTIL they fail to authenticate?

Thanks.

dradunsky · ‎01-23-2013

PS. I'm new. How do I assign points?

Thanks.

George Stefanick · ‎01-23-2013

Let start all over ..

1. What is your business need for the GUEST network

A. Do you require it to be open with no security

B. Do you require a password on the guest network

C. Do you require a guest welcome page

D. Do you need to apply some time of security to the guest wireless

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

dradunsky · ‎01-23-2013

George,

Sorry to be confusing the issue.

1. What is your business need for the GUEST network -> Public access wifi while users are in Town Hall. The Town

just wants to provide wireless with no strings attached. (Yes, that is scary.) My firewall will be doing

minor web filtering to keep porn out of Town Hall (at least I got them to agree to that.)

A. Do you require it to be open with no security -> I would prefer that the communication between device and

WAP were encrypted to avoid eavesdropping, is that what you mean by security?

B. Do you require a password on the guest network -> No

C. Do you require a guest welcome page -> No

D. Do you need to apply some time of security to the guest wireless -> Security? Other than encrypted

transmission, no. Is this the same as A?

Thanks again.

George Stefanick · ‎01-23-2013

Ok, if you require the wireless connection between the guest and access point you do need PSK or some advance encryption like 802.1X. But either will require the guest user to add a PSK key or password. Not very guest friendly.

Here is what I might suggest ..

1. Open network (the purpose of the guest network is to be open and easy)

2. Apply your firewall rules to keep from accessing certain things

3. Consider a guest portal page (like the one I mentioned). This way people have to "accept" terms and conditions.

4. Apply bandwidth restrictions so guest don't eat up your pipe

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

dradunsky · ‎01-23-2013

George,

Thank you!

So should I understand an "Open wireless" to be un-encrypted?

Am I crazy to think that this is a bad idea, or just paranoid?

2 and 3 are good suggestions. In all Towns that we manage public wifi there is an AUP page and acceptance. But these folks don't want to be seen as censors, so they just the old "go for it".

4, I hadn't thought of but that is a mighty good idea.

Thank you again.