cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
3
Replies

Using AD to authenticate BYOD users on Guest WLAN

perrymcgrew
Level 1
Level 1

First off, I have several WLANs -- one is a "Guest" that is anchored to our corporate WiSMv1 running 7.0.240.0 code.  We have many 5508s running 8.0.100.0 -- the "guest" is tunneled back to the core WiSMv1.   Right now, the Guest splashes a web page that a user just has to click through to get n the Guest WLAN.  I currently have a production WLAN set up to use 802.1x and pass credentials through Win 2012R2 NPS (Radius) so that our employees can log on using their AD credentials.

We are looking to avoid the complexity and cost of ISE.   We want to build a basic self-subscription process.  I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call.  Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller.  Behind the scene, we will load these credentials into an AD OU.   The bottom of this web page will be the fields for the user to enter the ID / PW which in turn will be validated to the AD. 

I can't mess with the current Guest "anchored" in the corporate WiSM.   We already have a custom web page and it appears you can only have one.  So I was thinking of setting it up at one of the remote 5508 sites....  I can download a custom web page there and I believe I can still use the "management" interface to grab IPs out of the Guest Subnet that resides in our HQ.  

My uncertainty revolves around the WLC / WLAN setup to use AD (via Radius if necessary) to validate the user -- and since it is BYOD, I have no idea what the client device will be and do not want the user to be required to do any setup.

I have gone through a lot of docs --- many talk about ISE.  Others are really old -- and of course there is difference between WLC web pages simply due to the 8.0 code on the 5508s!

I am hoping this is a fairly straight forward setup.  

TIA - Perry

3 Replies 3

Dhiresh Yadav
Cisco Employee
Cisco Employee

Hi,

 

Your starting 3 Paragraphs say that you want to modify Guest page only.But after that You talk about the BYOD.BYOD involves device registration , supplicant provisioning etc and is entirely for different use. If you think , you are asking about that , Please go through this Tech-Talk by me to understand BYOD (Video as well Brief note )along with PPT having all the required configuration on WLC side,AD side,CA server and ISE side.

"We want to build a basic self-subscription process.  I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call.  Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller. "

If the requirement is the above i.e display Phone number which user would call to get credentials , it can be done via simply modifying the HTML web-page to show that number and load in to the WLC or else host that page on some external server.Infact , you can modify the Internal web page of the WLC via Security>Web-authentciation and write a header and message to be displayed on the web-page which WLC displays which can have your Mobile number to call.Once credentials are submitted , WLCcan do radius authentication.

 

Also 8.0 simply brings Redirection over HTTPS feature in to the WLC and there is no change in anything else i.e the concept via which web-authentciation/works.

 

Regards

Dhiresh

**Please rate helpful posts**

 

 

Dhiresh,

Thanks for the reply.   I may have confused the topic by giving too much background.   Yes, we are looking to do this to handle basic BYOD -- but we are a Healtcare facility and we have family members that come in at all times of the day & night.  So it is BYOD in the sense of I don't know what devices these people will be using.   We already have a automated process, using Twilio, to have employees reset their AD Passwords.   We are going to adapt it to provide guests with ID / PW to be able to access the Guest Network.

We currently have a guest network with a customized web page....   I can't modify that as it is "production" and it seems you can only have one page "per controller". 

 

Perry

Hi,

Yeah you are correct , atleast per ssid only one page is possible.

 

Regards

Dhiresh

**Please rate helpful posts**

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: