1.0 Introduction

This document provides a technical analysis of a common scenario where a guest wireless network (WLAN) configured for captive portal authentication is displayed as an “Open” or “Unsecured” network on client devices. While this behavior is expected based on a standard configuration, it can cause user concern and diminish confidence in the network’s security. This guide will explain the underlying reason for this behavior and provide a comprehensive, best-practice solution to implement Layer 2 encryption, thereby resolving the client-side display issue while enhancing overall guest network security.

2.0 Problem Analysis: Layer 2 vs. Layer 3 Security

The core of the issue lies in the distinction between Layer 2 (data link) and Layer 3 (network) security mechanisms within the Cisco wireless architecture.

• Initial Configuration: The described setup involves configuring the WLAN with Layer 2 Security set to “None.” This is a necessary step to allow any client device to associate freely with the Access Point (AP) without needing a pre-shared key (PSK) or 802.1X credential. The objective is to get the client onto the network in a pre-authenticated state.

• Layer 3 Security: Security is then applied at Layer 3 by enabling a Web Policy (Captive Portal). Once a client associates, any attempt to access external network resources is intercepted by the Wireless LAN Controller (WLC) or Identity Services Engine (ISE), and the user’s web browser is redirected to a portal for authentication (e.g., by entering a username/password, accepting an Acceptable Use Policy, or using social media credentials).

• Resulting Client Behavior: Client operating systems (e.g., iOS, Android, Windows) determine the “security” level of a Wi-Fi network based solely on its Layer 2 configuration. Since the Layer 2 security is “None,” the client correctly identifies and labels the network as “Open” or “Unsecured,” as the over-the-air traffic between the client and the AP is not encrypted at the data-link layer prior to portal authentication. This behavior is by design and is not an indication of a misconfiguration for this specific deployment type.

3.0 Recommended Comprehensive Solution: Implementing Encrypted Guest Access

To address the perception of insecurity and add a critical layer of encryption, the recommended solution is to combine Layer 2 encryption (WPA2/WPA3-PSK) with the Layer 3 Web Policy. This configuration is often referred to as Central Web Authentication (CWA) when using Cisco ISE, but the principle applies broadly. This hybrid approach ensures that all wireless traffic is encrypted from the moment of association while still leveraging the captive portal for user identification and policy enforcement.

Configuration Steps (Using Cisco 9800 WLC GUI as a reference):

1. Navigate to WLAN Profile Configuration:

   • Go to Configuration > Tags & Profiles > WLANs.
   • Select the guest WLAN profile you wish to modify or create a new one.

2. Configure Layer 2 Security:

   • Click on the Security tab and then the Layer 2 sub-tab.
   • Set Security Method to WPA2 + WPA3 or WPA2 for broader compatibility.
   • Enable PSK (Pre-Shared Key) as the Authentication Key Management method.
   • Enter a strong, complex Pre-Shared Key in the provided field. This key will be shared with guest users to connect to the SSID.

3. Configure Layer 3 Security (Web Policy):

   • Click on the Security tab and then the Layer 3 sub-tab.
   • Enable the Web Policy toggle.
   • Select the appropriate authentication method (e.g., Consent for a simple click-through AUP, or Authentication to redirect to an external portal like ISE).
   • If using an external portal, configure the Redirect URL for your RADIUS server (e.g., Cisco ISE).

User Experience with this Enhanced Configuration:

1. The user selects the guest SSID on their device.
2. The device prompts for a password. The user enters the PSK.
3. The device connects and establishes an encrypted WPA2/WPA3 session. The Wi-Fi icon will now show a lock, and the network will be listed as “Secured.”
4. The user opens a web browser and is redirected to the captive portal to complete the authentication or acceptance process.

4.0 Essential Security Best Practices for Guest Networks

Regardless of the authentication method, the following practices are critical for securing any guest network:

• Client Isolation: Enable Peer-to-Peer Blocking on the WLAN profile (WLAN > Advanced tab). This prevents guest devices from communicating with each other on the same wireless segment, mitigating the risk of malware propagation or malicious attacks between users.
• Pre-Authentication ACLs: Implement an Access Control List that restricts traffic from unauthenticated guest users. This ACL should, at a minimum, only permit DHCP and DNS traffic required to resolve and reach the authentication portal. All other traffic should be denied until the user successfully authenticates.
• Rate Limiting and QoS: Apply Quality of Service (QoS) profiles to the guest WLAN to limit the bandwidth per user. This ensures that guest traffic does not negatively impact the performance of your corporate network and prevents abuse.

By implementing the recommended hybrid security model, you achieve a guest network that is not only robustly secured with over-the-air encryption but also presents itself correctly to end-users, fostering trust and confidence in your network infrastructure.