11-23
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter11 Configuring Authentication Types
Guest Access Management
Guest Access Management
Guest Access allows a guest to gain access to the Internet, and the guest’s own enterprise without
compromising the security of the host enterprise.
Guest access is allowed through these methods:
Web Authentication (secured)
Web Pass-through
Web Authentication (secured)
Web authentication is a Layer 3 security feature that enables the Autonomous AP to block IP traffic
(except DHCP & DNS-related packets) until the guest provides a valid username and password.
In web authentication, a separate username and password must be defined for each guest. Using the
username and password, the guest is authenticated either by the local radius server or an external
RADIUS server.
Perform these steps to enable web authentication:
Step1 Browse to the Security page on the access point GUI.
Step2 Select SSID Manager.
Step3 Check the Web Authentication check box.
Beginning in privileged EXEC mode, use these commands to enable web authentication:
The network security type is set to none by default, because the authentication will occur at Layer
3 through the web interface, and therefore does not need to occur at Layer 2. However, you can
combine Layer 3 security with any Layer 2 security. Web authentication is supported only with Open
authentication. No encryption is allowed.
ap(config)# dot11 ssid guestssid
ap(config-ssid)# web-auth
PEAP authentication with dynamic WEP encryption
If using Windows to
configure card
Select Enable network access
control using IEEE 802.1X and
PEAP as the EAP Type
Set up and enable WEP and enable
Require EAP and Open with EAP
for the SSID
EAP-SIM authentication with dynamic WEP encryption
If using Windows to
configure card
Select Enable network access
control using IEEE 802.1X and
SIM Authentication as the EAP
Type
Set up and enable WEP with full
encryption and enable Require EAP
and Open with EAP for the SSID
1. Some non-Cisco Aironet client adapters do not perform 802.1X authentication to the access point unless you configure
Open authentication with EAP. To allow both Cisco Aironet clients using LEAP and non-Cisco Aironet clients using LEAP
to associate using the same SSID, you might need to configure the SSID for both Network EAP authentication and
Open authentication with EAP.
Table11-1 Client and Access Point Security Settings (continued)
Security Feature Client Setting Access Point Setting