Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1275
Views
2
Helpful
7
Replies

Rede Guest para visitantes e funcionários

Go to solution
mcgonzaga
Level 1
Level 1

‎11-23-2023 04:28 AM

Hoje eu tenho um SSID GUEST, que utiliza um captive portal, e fica como autenticação aberta, Para aumentar a segurança, nos foi solicitado que seja habilitado WPA2+WPA3 para essa rede.
Gostaria de saber se é possível realizar a configuração do SSID GUEST com WPA2+WPA3 sem o uso de senha PSK e continuar direcionando os usuários para o portal cativo, para a autenticação, que hoje é feita no ISE. sabem dizer se é possível, sem prejudicar a dinâmica da rede?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mcgonzaga
Level 1
Level 1

‎11-25-2023 04:32 AM

Agradeço o apoio de todos.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
JPavonM
VIP
VIP

‎11-23-2023 07:32 AM

Wireless security at L2 (WPA3 Transition mode) is different from authentication at other layers, in this case, Captive Portal. So yes, you can use a SSID with WPA3 Transition mode (recommended to enable Transition Disable) with a PSK and SAE both active, and then redirect all traffic to the Captive Portal as usual.

 

0 Helpful

Go to solution
Rich R
VIP
VIP

‎11-23-2023 11:43 AM

If you use WPA2 then the connection has to be encrypted using pre-shared key (PSK) or 802.1x so in that case the answer is NO.

WPA3 introduced support for OWE but that is only supported with WPA3 - it's not part of WPA2:
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html#OWE
What model of WLC are you using, what model(s) of AP are you using and what version of software are you using?
All of those are relevant to what you will be able configure.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
mcgonzaga
Level 1
Level 1

‎11-23-2023 11:55 AM

So in this case do I need to leave a PSK password configured anyway?
If it has to stay in this format, the guest network loses momentum for visitors, who now only register and gain access valid for 24 hours.
With a PSK password, will it be necessary to provide this password to visitors so that they can register correctly?

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to mcgonzaga

‎11-23-2023 12:22 PM - edited ‎11-24-2023 03:39 PM

> So in this case do I need to leave a PSK password configured anyway?
Not unless you WANT to have to share a PSK with your visitors.  That defeats the purpose of guest WiFi but is not unheard of!  We have customers that ask for that so that they have extra control over who accesses their guest network.

> With a PSK password, will it be necessary to provide this password to visitors so that they can register correctly?
Yes

Who did this request come from?
These sort of requests often come from security teams who have hired a pen-tester or security auditor who comes in and runs an automated scanner which spits out a whole lot of "best practice recommendations" which includes "All SSIDs should be encrypted with WPA2/WPA3" which would be appropriate for a corporate network but is completely inappropriate for a hotspot/guest network.  Unfortunately the person doing the report is too stupid to understand what it means or they don't even read it themselves - they just paste the output from the scanner into their report and submit it - job done.
It requires an intelligent human being to read and assess the report and reply saying "this is absolute rubbish and completely inappropriate for a guest network which is open by design".  Guest users have a responsibility to encrypt all their traffic themselves (VPN, https, DNS over HTTPS etc).

Now WPA3 makes it possible to derive some security with OWE encryption but it's not the same as PSK or 802.1x but there are strong dependencies on your hardware and software and the clients.  Even if your hardware and software supports it, many clients will not support it.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
mcgonzaga
Level 1
Level 1
In response to Rich R

‎11-24-2023 10:40 AM

This answer was one of the best answers I've seen right now, it would be funny if not tragic hahaha, but it's a shame that I can't answer that way in the future.
Today we use Cisco Catalyst 9800-CL Wireless Controller in the version
17.6.4, with Access Point C9120AXI-Z and C9115AXI-Z.

In this part we have already tried to explain that enabling WPA2 with a PSK password would remove all the dynamics and purpose of the Guest network. But they raised the tone so that there is another level of security before the captive portal. My question is, is there any other type of security that can be implemented that does not ruin the dynamics of a Guest network?

Go to solution
Rich R
VIP
VIP
In response to mcgonzaga

‎11-24-2023 03:42 PM

In that case your only options are WPA3 with OWE or WPA2/WPA3 with PSK <smile>
When users complain ask them to contact the person who insisted on this <smile>

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
mcgonzaga
Level 1
Level 1

‎11-25-2023 04:32 AM

Agradeço o apoio de todos.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card