I would like to share a few thoughts about guest WLAN access.
- if you have a lot of guests this means a lot of work in terms of account & password generation plus changing the credentials after a certain time.
Now you can offload this to lobbyadmin / "Ambassadors" but still it means work. Further on it is hard to do if you get 500 visitors. Is there any way of secure user sellf enrollment / self regiostration?
- normally, if you print the credentials on badges the credentials can be shared. Is there any way to do a mac locking in a way so that only the first MAC address which successfully loged on with this credentials can use them?
- Is there a thermal / label printer which would work with the WiSM so that the generated password can be printed on a small note/receipt once the lobbyadmin registered the guest?
We deployed Guest Internet Access (GIA) a year ago, before our LWAPP migration began across 30 hospital systems. Our business requirements were:
1) No charge to guests
2) Minimize have VS have not's issues (no using credit cards, etc for validation)
3) Centralized ISP(s)
4) Some form of self-reg as NONE of the hospitals wanted staff to have to do anything
We ended up doing an Advanced Services engagement with Cisco. Looked at BBSM & SSG. Settled on BBSM. GRE + VRF overlay network. The main part of the CAES engagement was to 'adapt' their existing custom 'sponsor' app to accomodate self-reg. Bottom line is we were underwhelmed with the sponsor app, although I heard @ Networkers last year from a Cisco internal IT manager that they've enhanced it considerably so YMMV.
We dropped the sponsor app & I dug in to the BBSM's SDK docs. I built a simple web form that folks get re-directed to in the BBSM's 'walled garden'. They choose Dr, Guest of Patient or business partner and based on this selection have to provide add'l info such as contact within our company. Bear in mind that there's no way to check any of this so we do have some 'donald ducks' show up in registration. Once they fill in the info, we replay their info & IP to them visually along w/ the AU policy. They click accept & it posts a string back to the BBSM that calls a pageset to initiate their session. For the doctors personal devices we BBSM auth them against radius so that they can use existing novell credentials & not have to 'sign up' each time.
This has worked pretty well for > 1yr. The BBSM unfortunately is not the most stable platform. Appliance, Win2k w/ MS ISA & some fancy cisco nat code is what it amounts to. I have 2 of them. One died already (HDD/controller) and both have had to be rebooted (hung) probably 5-6 times in 1yr.
Sooo. We are excited about GIA via LWAPP. Removes the complexities of the overlay network, gets rid of BBSMs (potentially) and has the capability to provide some redundancy where the BBSMs do not.
As far as self-reg under GIA-over-LWAPP... Since there is no way to enforce truthful registration, it is, in my opinion, of dubious value. Our previous 'extremest' security officer that insisted on it has left the building and I am exploring forgoing it completely with mgt as it's the one major complaint we get amongst otherwise raving reviews of the service (we survey the guests, etc).
One other complaint we've had is "We don't like having to (completely) re-register every 8 hours. Couldn't we just set up our own userid/password & reuse @ session expiry?"
Considering all of this, if push comes to shove & I'm forced to keep self reg as we migrate to LWAPP then here is my plan & what I think you'll want to explore:
1) Redirect the guest users to a (offbox) webform. Collect info including chosen userID/pass.
2) On post, write to sql backend. Mysql should work fine on the cheap.
3) Use ACS (or freeradius) to radius auth the user against this external (to ACS) database, just need a second or two delay to make sure form post data makes it into DB prior to posting url back to anchor controller.
1) Easier reporting then old reg form-post text file
2) Ability to do sql replication to alt datacenter where redundant anchors live
3) Upon user's session expiration, they can re-login using credentials they chose instead of having to completely re-register.
4) Radius server can still look @ novell via sldap for our docs.
Obviously you have to determine what the ultimate life of the user account in radius is before it's auto-purged.
Still have some details to flesh out but that should give you some ideas. Also, don't be afraid to survey your guests, even using free or cheap online survey tools (surveymonkey). Link to it @ top of selfreg form. Our users have NO problem filling out the survey & telling us what they like & don't. Good info.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...