Solved: Where to setup password for guest in c9800

interfacedy · ‎07-24-2021

Hi Guest ssid, wlan, and policy are configured based on cisco document attached link. it uses internal web server. Client PC can get correct ip address from the c9800, but auth web page does not show up. I notice I did not have chance to setup password during the setup process based on the document. Why the document does not show the step? where to setup the password? Thank you

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213923-configure-a-web-authentication-ssid-on-c.html

Arshad Safrulla · ‎07-27-2021

LWA config wise you are fine, but why you have set a native VLAN on the trunk? I wouldn't do that. And also you dont need a SVI for Guest VLAN. Just the L2 VLAN is sufficient, remove the SVI for Guest VLAN, but allow the Guest VLAN in the trunk port. This means you have to have the DHCP configured somewhere else as well. Add the ip route for the WLC as well, it should point to the WLC management VLAN gateway.

In order for the LWA to work you need to have an IP address with DNS reachability from the client, then when the client opens a website, dns kicks in and resolves it to an IP, client tries to access the IP and WLC intercepts it and prompts the landing page. You can also add the below command under ur parameter map.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
logout-window-disabled
success-window-disable
intercept-https-enable

If DNS reachability is not there you can test by directly accessing the 192.0.2.1 in a browser. This should prompt you the LWA page.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

balaji.bandi · ‎07-24-2021

Are you looking to have local authentication rather ISE - is this correct - so can you check the Same document bottom you see - is this what are you looking?

Step 7. Create your user credentials.

For local users configuration navigate to Administration > User Administration and create the needed credentials.

Some reference :

https://wifininjas.net/2019/10/24/wn-blog-017-cisco-c9800-local-web-auth-config/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

David Ritter · ‎07-26-2021

Configuration*>Security*> Guest User

Looks much like Prime..

General

User Name

Password

Generate password

Confirm Password

Description

AAA Attribute list

No. of Simultaneous User Logins

Enter 0 for unlimited users

I see they have upped the Concurrent log-ons from 8 to 64

interfacedy · ‎07-26-2021

Thank you for your reply. I think you are right.

Actually I want to get some idea by this post to resolve the issue that auth web page cannot show up after pc connect to the guest ssid. I checked several times, but i could not find some steps missing or wrong. Don't know why auth page cannot pop up.

Arshad Safrulla · ‎07-26-2021

Please share the controller model, IOS-XE code running and AP models

Also do you have IP http server enabled under the configuration? Unless you are not running the latest IOS-XE codes this is mandatory for the LWA to work properly in 9800..

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

interfacedy · ‎07-26-2021

Hi Arshadsaf, Thank you very much for your reply.

Please see the below config

WLC97#sh running-config
Building configuration...

Current configuration : 18690 bytes

!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname WLC12345
!
boot-start-marker
boot-end-marker
!
!
enable password zxzxzx
!
aaa new-model
!
!
aaa authentication login LocalWeb1 local
aaa authorization network default local
!
!
aaa attribute list wlan_lobby_access
!
!
aaa session-id common
clock timezone Eastern 0 0
clock calendar-valid
vtp mode off
!
!
!
!
!
!
!
ip dhcp excluded-address 10.0.7.0 10.0.7.100
!
ip dhcp pool Guest-vlan37-dhcp-pool
network 10.0.7.0 255.255.255.0
default-router 10.0.7.10
dns-server 10.0.7.10
lease infinite
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
parameter-map type webauth global
virtual-ip ipv4 192.0.2.1
!
!
parameter-map type webauth WebMap1
type webauth
!
access-session mac-move deny
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki server WLC_CA
database archive pkcs12 password 7 020706
issuer-name O=Cisco Virtual Wireless LAN Controller, CN=CA-vWLC_WLC
grant auto
hash sha1
lifetime certificate 3652
lifetime ca-certificate 3652
!
crypto pki trustpoint TP-self-signed-1244097669
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1244
revocation-check none
rsakeypair TP-self-signed-1244097669
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint WLC_CA
revocation-check crl
rsakeypair WLC_CA
!
crypto pki trustpoint WLC_WLC_TP
enrollment url
serial-number
password 7 104F0B1A2
subject-name O=Cisco Virtual Wireless LAN Controller, CN=WLC_WLC_TP
revocation-check crl
rsakeypair WLC_WLC_TP
eku request server-auth client-auth
!
!
!
!
!
!
license udi pid C9800-CL-K9 sn 98OO4
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
diagnostic bootup level minimal
memory free low-watermark processor 71038
!
!
username admin privilege 15 password 0 zxzxzx
user-name Guest-User
creation-time 16273488
description Guest-User
password 0 zxzxzx
type network-user description Guest-User guest-user lifetime year 0 month 0 day 1 hour 0 minute 0 second 0
!
redundancy
mode sso
!
!
!
!
!
!

Arshad Safrulla · ‎07-27-2021

LWA config wise you are fine, but why you have set a native VLAN on the trunk? I wouldn't do that. And also you dont need a SVI for Guest VLAN. Just the L2 VLAN is sufficient, remove the SVI for Guest VLAN, but allow the Guest VLAN in the trunk port. This means you have to have the DHCP configured somewhere else as well. Add the ip route for the WLC as well, it should point to the WLC management VLAN gateway.

In order for the LWA to work you need to have an IP address with DNS reachability from the client, then when the client opens a website, dns kicks in and resolves it to an IP, client tries to access the IP and WLC intercepts it and prompts the landing page. You can also add the below command under ur parameter map.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
logout-window-disabled
success-window-disable
intercept-https-enable

If DNS reachability is not there you can test by directly accessing the 192.0.2.1 in a browser. This should prompt you the LWA page.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

interfacedy · ‎07-28-2021

It works. Thank you very much for your very nice explaination!