Wlan Controller Hotspot Solution

blackswans · ‎08-12-2014

Hi,

We are using cisco wlan controller for our wireless network. By the way we need guest internet access for our guests. Can we make a hotspot solution with only our controller? I mean the user will join the guest network and then a web page opens then user enters the credentials. Then he can use the internet.

Thanks.

mohanak · ‎08-13-2014

Wireless LAN Controller Web Authentication Configuration Example:

Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP and DNS -related packets) from a particular client until that client has correctly supplied a valid username and password. It is a simple Authentication method without the need for a supplicant or client utility. Web authentication is typically used by customers who want to deploy a guest-access network. Typical deployments can include "hot spot" locations such as T-Mobile or Starbucks.

Keep in mind that web authentication does not provide data encryption. Web authentication is typically used as simple guest access for either a "hot spot" or campus atmosphere where the only concern is the connectivity.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html

blackswans · ‎08-18-2014

Should we use different vlan from the internal network or is it enough to use an ACL for restricting traffic to internal network and allow only internet access?

Thanks.

Sandeep Choudhary · ‎08-18-2014

HI,

it is always good to have a different VLAN for Guest acces.

Here is the basic WEBAIUTH guide:

http://rscciew.wordpress.com/2014/06/19/wlc-webauth-configuration/

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch10GuAc.html

Regards

Dont forget to rate helpful posts

mohanak · ‎08-18-2014

Its better to use different Vlans:

The LAP is registered to the WLC. The WLC is connected to the Layer 2 switch. The router that connects the users to the WAN also connects to the Layer 2 switch. You need to create two WLANs, one for the guest users and the other for the internal LAN users. You also need a DHCP server to provide IP addresses for the guest and internal wireless clients. The guest users use web authentication in order to access the network. The internal users use EAP authentication. The 2811 router also acts as the DHCP server for the wireless clients.

Note: This document assumes that the WLC is configured with the basic parameters and the LAP is registered to the WLC. Refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC) for information on how to configure the basic parameters on a WLC and how to register the LAP to WLC.

When configured as a DHCP server, some of the firewalls do not support DHCP requests from a relay agent. The WLC is a relay agent for the client. The firewall configured as a DHCP server ignores these requests. Clients must be directly connected to the firewall and cannot send requests through another relay agent or router. The firewall can work as a simple DHCP server for internal hosts that are directly connected to it. This allows the firewall to maintain its table based on the MAC addresses that are directly connected and that it can see. This is why an attempt to assign addresses from a DHCP relay are not available and the packets are discarded. PIX Firewall has this limitation.

gohussai · ‎08-18-2014

Yes you can use but make sure following things are met.

WLC should have enough coverage to provide internet access to the guests,,[i.e if using Large Area use External annenta]

WLAN created for Guest and internal users must have differnet VLANS for broadcast isolation on L2

WLAN for guest access must have L3 web-auth enabled from controller interface.

create internal users from WLC GUI for testing guest WLAN users then you can use ACS or ISE for actual deployment.

Futher configuration guide is already attached in previous replies.

hope this help.