Solved: WLAN 30min guest access

gtilburg · ‎06-30-2016

Hi,

Our customer wants to use 1 guest account (not generating a new account per visitor) with - after authenticating on the web portal - 30min access to the wireless network.

After that, the user should get the portal once again and log in with those account details to have another 30min of network access.

I understand that 30min accounts can be configured, but is it supported to

- Re-use the account between multiple visitors?
- Keep the account for 1y without expiring?

Any other complications you might see?

The alternative I was thinking about, was using an internal user and setting a re-auth timer of 30min. Not sure how well that would work.

Regards

Gert

Jason Kunst · ‎06-30-2016

If you create a 30 min account then it will only be good for 30 min.

You're really looking for a sort of 30 min hotspot, right? You can create a permanent internal account and give that out. Rotate it when you like. Beware that if you're doing BYOD flow enabled on same portal then this account will go through BYOD. If that's the case you would use another portal or create a long term guest account to use instead.

Does this credential ever need to be regenerated? Or can it be a static username/password that just sits in the page? Do they have to have access to the username password or can it be embedded (hidden) in page?

Radius session timeout can be set to 30 min to kick the user out and then relogin

View solution in original post

Jason Kunst · ‎06-30-2016

If you create a 30 min account then it will only be good for 30 min.

You're really looking for a sort of 30 min hotspot, right? You can create a permanent internal account and give that out. Rotate it when you like. Beware that if you're doing BYOD flow enabled on same portal then this account will go through BYOD. If that's the case you would use another portal or create a long term guest account to use instead.

Does this credential ever need to be regenerated? Or can it be a static username/password that just sits in the page? Do they have to have access to the username password or can it be embedded (hidden) in page?

Radius session timeout can be set to 30 min to kick the user out and then relogin

gtilburg · ‎07-03-2016

Hi Jason,

Thanks for the reply!

The guest username/password is static and will only need to be changed every couple of months/year by the ISE admin. With that in mind, an internal user would be a good match.

To configure this, I was initially thinking of a specific guest type, however that is probably not helping as we would be using internal users, rather than guest users.

Can you confirm the Cisco WLCs are supporting the RADIUS session-timeout attribute?

I believe I would configure the ISE authorization profile to be:

Many thanks

Gert

Gert Tilburgs - CCIE R&S 21187

Network Consulting Engineer

Cisco Security Services

Phone: +3227046188 - Email: gtilburg@cisco.com

For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html

Jason Kunst · ‎07-05-2016

yes be sure to have allow AAA override on the WLAN