Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest Access - Layer 2 security WPA PSK - Layer 3 security web auth

I am not able to test this.

Has anybody configured the CUWN guest access with WPA PSK layer 2 and Web authentication layer 3

If so are there any problems that I should expect

Mark

4 REPLIES
Hall of Fame Super Silver

Re: Guest Access - Layer 2 security WPA PSK - Layer 3 security w

There isn't any issue doing that, but if you are going to do this for guest access then you should probably keep it open and use webauth to allow guest access. You don't want to be responsible to setup non-employee devices and you don't want to take on the responsibility of something going wrong with their equipment. Now if you want to use it for internal use, then I guess it is okay, but it defeats the purpose of single sign on.

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access - Layer 2 security WPA PSK - Layer 3 security w

Fella

Thanks, our security team are not keen on people just being able to associate with the LWAPs and getting an IP address from the WLC DHCP pool. I know there is not much that the wireless client can do until it web authenticates but it is deemed as a security risk.

So I am going to propose dual authentication WPA-PSK (we will change the key on a monthly basis) and when they associate use the web authentication using the username and password created by the lobby ambassador feature.

On a side note:- If you only use web policy but the client does not associate - does the client get dis-associated after 5mins and does the DHCP entry on the WLC get removed from the DHCP data base.

Thanks

Mark

Hall of Fame Super Silver

Re: Guest Access - Layer 2 security WPA PSK - Layer 3 security w

Mark,

I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.

Hope this helps.

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access - Layer 2 security WPA PSK - Layer 3 security w

Fella

Thanks , I will see what our security team comes up with.

Many thanks

Mark

652
Views
8
Helpful
4
Replies