Cisco Support Community
Community Member

Query on LobbyAdmin/Guest Access

Normally when i'm configuring guest access for customers who dont want to go putting an anchor WLC in the DMZ first I ensure the guest VLAN is locked down and then go ahead and create a guest WLAN with Layer 3 Web authentication and use LobbyAdmin to hand out guest accounts from WCS or the WLC.

My question is this ... do you think this is secure enough? As the over the air traffic is unencrypted is it possible for someone to sniff the guest user-name & password and gain unauthorized access to the guest network.

Is it possible to encrypt over the air traffic dynamically without having to set a static pre shared key aswell as using layer 3 authentication?

Just curious more than anything.


Community Member

Re: Query on LobbyAdmin/Guest Access

Assuming you left the SSL settings to default (on), then the guest authentication page uses a self-signed cerficate when passing the username and password. You can upload a real cert to the WLC if you are concerned.

You could create a VLAN with no layer 3 interface on your production equipment and add a cable modem/router from another ISP and route all guest traffic to it (and of course block any traffic to your private net).

I always create guest networks with the assumption that someone will gain access to it. Then decide whether your security policies will hold from there. If not, more security (anchoring, physically separate access points, etc.)

CreatePlease to create content