Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wlan Controller Hotspot Solution


We are using cisco wlan controller for our wireless network. By the way we need guest internet access for our guests. Can we make a hotspot solution with only our controller? I mean the user will join the guest network and then a web page opens then user enters the credentials. Then he can use the internet.


Everyone's tags (1)

Wireless LAN Controller Web

Wireless LAN Controller Web Authentication Configuration Example:

Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP and DNS -related packets) from a particular client until that client has correctly supplied a valid username and password. It is a simple Authentication method without the need for a supplicant or client utility. Web authentication is typically used by customers who want to deploy a guest-access network. Typical deployments can include "hot spot" locations such as T-Mobile or Starbucks.

Keep in mind that web authentication does not provide data encryption. Web authentication is typically used as simple guest access for either a "hot spot" or campus atmosphere where the only concern is the connectivity.

New Member

Should we use different vlan

Should we use different vlan from the internal network or is it enough to use an ACL for restricting traffic to internal network and allow only internet access?


VIP Purple

HI,it is always good to have


it is always good to have a different VLAN for Guest acces.

Here is the basic WEBAIUTH guide:


Dont forget to rate helpful posts



Its better to use different

Its better to use different Vlans:

The LAP is registered to the WLC. The WLC is connected to the Layer 2 switch. The router that connects the users to the WAN also connects to the Layer 2 switch. You need to create two WLANs, one for the guest users and the other for the internal LAN users. You also need a DHCP server to provide IP addresses for the guest and internal wireless clients. The guest users use web authentication in order to access the network. The internal users use EAP authentication. The 2811 router also acts as the DHCP server for the wireless clients.


Note: This document assumes that the WLC is configured with the basic parameters and the LAP is registered to the WLC. Refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC) for information on how to configure the basic parameters on a WLC and how to register the LAP to WLC.

When configured as a DHCP server, some of the firewalls do not support DHCP requests from a relay agent. The WLC is a relay agent for the client. The firewall configured as a DHCP server ignores these requests. Clients must be directly connected to the firewall and cannot send requests through another relay agent or router. The firewall can work as a simple DHCP server for internal hosts that are directly connected to it. This allows the firewall to maintain its table based on the MAC addresses that are directly connected and that it can see. This is why an attempt to assign addresses from a DHCP relay are not available and the packets are discarded. PIX Firewall has this limitation.

Cisco Employee

Yes you can use but make sure

Yes you can use but make sure following things are met.


WLC should have enough coverage to provide internet access to the guests,,[i.e if using Large Area use External annenta]


WLAN created for Guest and internal users must have differnet VLANS for broadcast isolation on L2


WLAN for guest access must have L3 web-auth enabled from controller interface.


create internal users from WLC GUI for testing guest WLAN users then you can use ACS or ISE for actual deployment.


Futher configuration guide is already attached in previous replies.


hope this help.