Guest Access - Layer 2 security WPA PSK - Layer 3 security web auth

Unanswered Question
Jan 29th, 2009
User Badges:

I am not able to test this.


Has anybody configured the CUWN guest access with WPA PSK layer 2 and Web authentication layer 3


If so are there any problems that I should expect


Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Scott Fella Thu, 01/29/2009 - 05:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

There isn't any issue doing that, but if you are going to do this for guest access then you should probably keep it open and use webauth to allow guest access. You don't want to be responsible to setup non-employee devices and you don't want to take on the responsibility of something going wrong with their equipment. Now if you want to use it for internal use, then I guess it is okay, but it defeats the purpose of single sign on.

mark.cronin Thu, 01/29/2009 - 05:55
User Badges:

Fella


Thanks, our security team are not keen on people just being able to associate with the LWAPs and getting an IP address from the WLC DHCP pool. I know there is not much that the wireless client can do until it web authenticates but it is deemed as a security risk.


So I am going to propose dual authentication WPA-PSK (we will change the key on a monthly basis) and when they associate use the web authentication using the username and password created by the lobby ambassador feature.


On a side note:- If you only use web policy but the client does not associate - does the client get dis-associated after 5mins and does the DHCP entry on the WLC get removed from the DHCP data base.


Thanks


Mark



Scott Fella Thu, 01/29/2009 - 06:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Mark,


I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.


Hope this helps.

mark.cronin Thu, 01/29/2009 - 06:14
User Badges:

Fella


Thanks , I will see what our security team comes up with.


Many thanks


Mark

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode