Guest User Accounts

Information About Creating Guest User Accounts

The controller can provide guest user access on WLANs for which you must create guest user accounts. Guest user accounts can be created by network administrators, or, if you would like a non-administrator to be able to create guest user accounts on demand, you can do so through a lobby administrator account. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest user accounts.

The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.

You can associate user name with WLAN profile name to restrict guest users in a specific WLAN.

Prerequisites for Guest Users

  • Guest users are created by administrator or lobby ambassador.

  • Guest user should be role-based.

  • Guest user should be able to connect to the network and access internet.

  • Guest users configured locally or remotely (through RADIUS or TACACS), do not have access to the device either through Telnet/SSH or WebUI.

Creating a Guest User Account (GUI)

Procedure


Step 1

Choose Configuration > Security > Guest User.

Step 2

On the Guest User page, click Add.

Step 3

Enter a user name, password, and description for the new account. Check the Generate password check box to automatically generate a password.

Step 4

Enter the number of simultaneous user logins. Valid values range between 0 to 64.

Enter 0 for unlimited users.

Step 5

In the Lifetime section, choose the number of years, months, days, hours, and minutes.

Step 6

Click Save & Apply to Device.


Creating a Guest User Account (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

user-name guest-user-name

Example:

Device(config)# user-name guest

Creates a guest user account.

Step 3

type network-user description description guest-user max-login-limit number of simultaneous logins lifetime year yy month mm day day hour hour minute minute second second

Example:

Device(config-user-name)# type network-user description sample-description guest-user max-login-limit 3 
lifetime 1 years 0 months 0 days 0 hours 0 mins 0 secs

Specifies the account type as guest user account.

Step 4

password 0 password

Example:

Device(config-user-name)# password 0 guest

Creates a password for the guest user account.

Step 5

aaa attribute list aaa-attribute-list-name

Example:

Device(config-user-name)# aaa attribute list aaa-attribute-list-name

Creates a AAA attribute list to apply QoS profiles on the guest user account.

Step 6

exit

Example:

Device(config-user-name)# exit

Returns to global configuration mode.

Note

 

If the lobby admin is local, enter the following command:

aaa authentication login default local

If the lobby admin is a remote user, enter the following commands:

aaa authentication login default group radius/tacacs
aaa remote username <remote-lobby-admin-name>

In case of local or remote lobby, enter the following command to map the authorization policies:

aaa authorization exec default local

Verifying Guest User Account

Verify Guest User Account.

Device# show aaa local guest_user all
User-Name           : new4 
     Type                :  GUEST USER 
     Password            : * 
     Is_passwd_encrypted : No 
     Attribute-List      : Not-Configured 
     Viewname            : Not-Configured 
     Lobby Admin Name    : NEW_LOBBY_ADMIN 
     Max Login Limit     : 0 
     Description         : guest 
     Start-Time          : 07:56:39 IST Jan 25 2019 
     Lifetime            : 1 years 0 months 0 days 0 hours 0 mins 0 secs  
     Expiry-Time         : 07:56:39 IST Jan 20 2020 Remaining Lifetime  : 0 years 11 months 29 days 22 hours 52 mins 49 secs
 

To verify a specific guest user account, use the following command:

Device# show aaa local guest_user new_guest3
User-Name           : new_guest3
 Type                :  GUEST USER
 Password            : *
 Is_passwd_encrypted : No
 Attribute-List      : Not-Configured
 Viewname            : Not-Configured
 Lobby Admin Name    : INVALID_ADMIN
 Max Login Limit     : 9
 Description         : new
 Start-Time          : 04:39:01 IST Feb 4 2019
 Lifetime            : 1 years 0 months 0 days 0 hours 0 mins 0 secs 
 Expiry-Time         : 04:39:01 IST Jan 30 2020
 Remaining Lifetime  : 0 years 11 months 11 days 21 hours 16 mins 34 secs

Assigning Username to Guest Users in a WLAN (CLI)

Before you begin

  • If wlan-profile-name is configured for a user, guest user authentication is allowed only from that WLAN.

  • If wlan-profile-name is not configured for a user, guest user authentication is allowed on any WLAN.

  • To work in a connected mode, you need to configure AAA policy override under both SSID policies before assigning a username to a guest user on a WLAN.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters configuration mode.

Step 2

username user_name mac wlan-profile-name profile_name

Example:

Device(config)# username user_name mac wlan-profile-name profile_name

Assigns a username to the WLAN profile.

Note

 

The wlan-profile-name per user is applicable for MAC type users.

Step 3

show aaa local guest_user new_guest3

Example:

Device# show aaa local guest_user new_guest3

(Optional) Displays the values of the WLAN profile.

Step 4

end

Example:

Device# end

Returns to privileged EXEC mode.