Thursday, December 1, 2016

Managing Guest Account via Cisco WLC Lobby Ambassador Portal

Most businesses like to provide Wi-Fi guest access as a convenience to visitors. Guest wireless networks allow Internet access to visitors, such as contractors, students, or salespeople. Many organizations understand the need for their visitors to be able to access the Internet, especially to access email. Therefore, many organizations provide WLAN guest access with a unique SSID and guest VLAN. Firewalls are also often used to further restrict the guest user capabilities and even the bandwidth that is available to guests. The security for guest WLAN users is much different than security provided for the corporate WLAN users. The main security goal of a guest WLAN is to provide guests with an easily accessible wireless portal to the Internet, while at the same time restricting guest user access from the rest of the company network. The security components of a guest WLAN normally consists of the following:

Guest SSID - Multiple corporate SSIDs are broadcasted by the company APs along with a guest SSID that can be easily discovered by any guest user. The guest SSID is normally an open network that has no WPA/WPA2 encryption security. Although encryption is not usually provided for guest users, some WLAN vendors have begun to offer secure guest access that does provide data privacy using dynamic PSK credentials. Encrypted guest access can also be provided with 802.1X with Hotspot 2.0 using Wi-Fi CERTIFIED Passport client devices.

Guest VLAN - Guest user traffic should be segmented into a unique VLAN tied to an IP subnet that does not mix with the employee user VLANs. Guest traffic is often routed to a demilitarized zone (DMZ).

Firewall Policy - Guest WLAN firewall policies tend to be very restrictive. Guest firewall policies typically allow for DHCP and DNS but restrict access to private networks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Guest users are not allowed on these private networks because corporate network servers and resources usually reside on the private IP space. The guest firewall policy normally routes all user traffic straight to an Internet gateway and away from corporate network infrastructure.

Captive Web Portal - Guest users must normally log in through a captive portal page before they can proceed to the Internet. One of the most important aspects of the captive portal page is the legal disclaimer. A good legal disclaimer informs the guest users about acceptable behavior while using the guest WLAN. Businesses are also legally protected if something bad should happen to a guest user's WLAN device, such as being infected by a computer virus. A captive portal solution effectively turns a web browser into an authentication service. To authenticate, the user must launch a web browser. After the browser is launched and the user attempts to go to a website, no matter what web page the user attempts to browse, the user is redirecte dto a logon prompt, which is the captive portal logon web page. Captive portals can redirect unauthenticated users to a login page using an IP redirect, DNS redirection, or redirection by HTTP.

Guest Management Solution - Most guest WLANs require a guest user to authenticate with credentials via a captive web portal. Therefore, a database of user credentials must be created. Unlike a preexisting Active Directory database, a guest user database is created on the fly. Guest user information is usually collected when the guest arrive at company offices. Someone has to be in charge of managing the database and creating the guest user database entries. IT administrators are typically too busy to manage a guest database; therefore, the individual who manages the database is usually a receptionist or the person who greets guests at the front door. Many WLAN vendors offer guest management solutions, which are simple admin accounts to a RADIUS server or some other type of database server. The guest management administrators have the access rights to create guest user accounts on the database server. Other WLAN vendors use cloud-based servers to distribute secure guest credentials in the form of unique dynamic PSKs. A guest management solution that utilizes unique PSKs as credentials also provides data privacy for guest users with WPA2 encryption.



A lobby ambassador allows the creation of guest user accounts locally on the WLC. The lobby ambassador can’t access the WLC CLI and can only create guest users via the web GUI. To create a lobby ambassador account in WLC, go to Management > Local Management Users > New.


Type the guest username, password and choose LobbyAdmin under User Access Mode drop-down option then click Apply.




Log into WLC (I used lobbyadmin1) and type the guest WLAN SSID interface IP address on the web browser (via HTTPS). The Lobby Ambassador Guest Management portal appears. In my wireless lab, I pointed the SSID GUEST-WIFI-LOBBY-ADMIN to use the Management interface IP address 10.72.235.195.




Click New to create a guest user account and enter a name and password (up to 24 characters). There are three ways to create the password: first by clicking on Generate Password to auto generate an alphanumeric password, second Generate Strong Password to auto generate a more complex password using alphanumeric characters and symbols. Lastly, you could manually create a password by just typing it directly.




You could optionally set the guest account Lifetime (default is 1 day) and the WLAN SSID that will use the guest accounts. Typing zeroes (0) in all the Lifetime fields creates a permanent guest user account.



I've created an SSID called GUEST-WIFI-LOBBY-ADMIN to use the guest users created by the Lobby Admin under WLANs. Choose the interface (or VLAN) under Interface/Interface Group (G), choose None under Security > Layer 2  and choose Web Policy > Authentication under Layer 3 Security.






I've used my iPhone to quickly test guest1 account on the SSID GUEST-WIFI-LOBBY-ADMIN.





The Lobby Admin portal doesn’t have the capability to view associated guest user accounts. You can view guest users on the WLC (using the main admin account) under Security > AAA > Local Net Users.



You could alternatively view guest users under Monitor > Clients.



1 comment: