Friday, May 25, 2007

Unified Wireless Guest Access: Authenticating Users

Continuing on my series of Unified Wireless Guest Access, I want to dive further into detail about configuring authentication for guest users. Why even go so far as to make the users authenticate? Well the most obvious answer is security. If you have open access with no authentication, any user can just walk into your facility, or even sit just outside if the wireless coverage allows it and be on your network. Though they'll be limited to Internet access, any bandwidth alloted can be saturated by an unknown user. Imagine having a saturated Internet connection and all you have is a MAC address to indentify the user with.
So what type of options does Cisco give us for "out-of-the-box" authentication of users? We have:
  • Web Policy - Authentication
  • Web Policy - Passthrough
  • Web Policy - Conditional Web Redirect

For actual guest user authentication, I'm going to focus on using the "Web Policy - Authentication" option. Using this security policy (as configured under our guest SSID), a guest user is re-directed to login if his/her wireless card has just associated to an open SSID and a browser is opened. This is very similar to setups you see in hotels and airports. For this example we will use the canned authentication scheme that Cisco has designed. This requires that a username and password be created for all guest users. With this username/password combination, he or she will authenticate to the guest SSID and be given guest wireless access for a defined period of time.

The first place to start is with the basic guest authentication screen. This is accessed by clicking Security -> Web Login Page. You can do some basic HTML customization and change titles. Use and abuse the "Preview..." button to make sure it looks like how you would expect. Next... let's take a look at how a guest user is created. Click on Security -> AAA: Local Net Users -> New... Fill out the fields as seen below. Make sure to create the user as a Guest user so you an enable timing out the account. Once the account is created... the user may now login through the guest web portal you designed above.

Sounds like a good plan, right? Well, the issue I take with this is that it requires your receptionists to access a controller to build in a username and password. I'm thinking an easier way would be to provide some front-end to a receptionist to allow him or her to simply enter a username to authorize a users. The guest user then builds his or her own password and provides a company name to be used for authentication. Problem is... this is not how guest access was designed by Cisco and will require some programming on our side. Interested how this is done? Stay tuned for an in-depth view behind how guest users are created and how we can customize a front-end for guest user registration.