cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
10
Helpful
7
Replies
Skybgp
Beginner

Where to setup password for guest in c9800

Hi Guest ssid, wlan, and policy are configured based on cisco document attached link. it uses internal web server. Client PC can get correct ip address from the c9800, but auth web page does not show up. I notice I did not have chance to setup password during the setup process based on the document. Why the document does not show the step? where to setup the password? Thank you

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213923-configure-a-web-authentication-ssid-on-c.html

 

1 ACCEPTED SOLUTION

Accepted Solutions
Arshadsaf
Rising star

LWA config wise you are fine, but why you have set a native VLAN on the trunk? I wouldn't do that. And also you dont need a SVI for Guest VLAN. Just the L2 VLAN is sufficient, remove the SVI for Guest VLAN, but allow the Guest VLAN in the trunk port. This means you have to have the DHCP configured somewhere else as well. Add the ip route for the WLC as well, it should point to the WLC management VLAN gateway.

In order for the LWA to work you need to have an IP address with DNS reachability from the client, then when the client opens a website, dns kicks in and resolves it to an IP, client tries to access the IP and WLC intercepts it and prompts the landing page. You can also add the below command under ur parameter map.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
logout-window-disabled
success-window-disable
intercept-https-enable

 

If DNS reachability is not there you can test by directly accessing the 192.0.2.1 in a browser. This should prompt you the LWA page.

______________
Arshad Safrulla

View solution in original post

7 REPLIES 7
balaji.bandi
VIP Master

Are you looking to have local authentication rather ISE - is this correct  - so can you check the Same document bottom you see - is this what are you looking?

 

Step 7. Create your user credentials.

For local users configuration navigate to Administration > User Administration and create the needed credentials.

 

Some reference :

 

https://wifininjas.net/2019/10/24/wn-blog-017-cisco-c9800-local-web-auth-config/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

David Ritter
Enthusiast

Configuration*>Security*> Guest User

Looks much like Prime..

General

User Name
 
Password
 
Generate password
Confirm Password
 
Description
 
AAA Attribute list
selectmse_005056bb3b21mse_0050568f1bc8wlan_lobby_access? string: ?
No. of Simultaneous User Logins

Enter 0 for unlimited users

 

I see they have upped the Concurrent log-ons  from 8 to 64

Thank you for your reply. I think you are right. 

Actually I want to get some idea by this post to resolve the issue that auth web page cannot show up after pc connect to the guest ssid. I checked several times, but i could not find some steps missing or wrong. Don't know why auth page cannot pop up.

Please share the controller model, IOS-XE code running and AP models

 

Also do you have IP http server enabled under the configuration? Unless you are not running the latest IOS-XE codes this is mandatory for the LWA to work properly in 9800..

______________
Arshad Safrulla

Hi Arshadsaf, Thank you very much for your reply. 

Please see the below config

WLC97#sh running-config
Building configuration...

Current configuration : 18690 bytes

!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname WLC12345
!
boot-start-marker
boot-end-marker
!
!
enable password zxzxzx
!
aaa new-model
!
!
aaa authentication login LocalWeb1 local
aaa authorization network default local
!
!
aaa attribute list wlan_lobby_access
!
!
aaa session-id common
clock timezone Eastern 0 0
clock calendar-valid
vtp mode off
!
!
!
!
!
!
!
ip dhcp excluded-address 10.0.7.0 10.0.7.100
!
ip dhcp pool Guest-vlan37-dhcp-pool
network 10.0.7.0 255.255.255.0
default-router 10.0.7.10
dns-server 10.0.7.10
lease infinite
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
parameter-map type webauth global
virtual-ip ipv4 192.0.2.1
!
!
parameter-map type webauth WebMap1
type webauth
!
access-session mac-move deny
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki server WLC_CA
database archive pkcs12 password 7 020706
issuer-name O=Cisco Virtual Wireless LAN Controller, CN=CA-vWLC_WLC
grant auto
hash sha1
lifetime certificate 3652
lifetime ca-certificate 3652
!
crypto pki trustpoint TP-self-signed-1244097669
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1244
revocation-check none
rsakeypair TP-self-signed-1244097669
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint WLC_CA
revocation-check crl
rsakeypair WLC_CA
!
crypto pki trustpoint WLC_WLC_TP
enrollment url
serial-number
password 7 104F0B1A2
subject-name O=Cisco Virtual Wireless LAN Controller, CN=WLC_WLC_TP
revocation-check crl
rsakeypair WLC_WLC_TP
eku request server-auth client-auth
!
!
!
!
!
!
license udi pid C9800-CL-K9 sn 98OO4
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
diagnostic bootup level minimal
memory free low-watermark processor 71038
!
!
username admin privilege 15 password 0 zxzxzx
user-name Guest-User
creation-time 16273488
description Guest-User
password 0 zxzxzx
type network-user description Guest-User guest-user lifetime year 0 month 0 day 1 hour 0 minute 0 second 0
!
redundancy
mode sso
!
!
!
!
!
!

Arshadsaf
Rising star

LWA config wise you are fine, but why you have set a native VLAN on the trunk? I wouldn't do that. And also you dont need a SVI for Guest VLAN. Just the L2 VLAN is sufficient, remove the SVI for Guest VLAN, but allow the Guest VLAN in the trunk port. This means you have to have the DHCP configured somewhere else as well. Add the ip route for the WLC as well, it should point to the WLC management VLAN gateway.

In order for the LWA to work you need to have an IP address with DNS reachability from the client, then when the client opens a website, dns kicks in and resolves it to an IP, client tries to access the IP and WLC intercepts it and prompts the landing page. You can also add the below command under ur parameter map.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
logout-window-disabled
success-window-disable
intercept-https-enable

 

If DNS reachability is not there you can test by directly accessing the 192.0.2.1 in a browser. This should prompt you the LWA page.

______________
Arshad Safrulla

View solution in original post

It works. Thank you very much for your very nice explaination!

Create
Recognize Your Peers
Content for Community-Ad