brkagg-2016_c2_rev4

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Designing Guest Access with the Cisco Unified Wireless Network

BRKAGG-2016

Mike Adler

WNBU TME

[email protected]

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 2

What You Will Learn…

What are the requirements of a Guest Access Service

How to design and implement a secured Guest Access Service using Cisco Unified Wireless Network

The authentication alternatives to control Guest Access (Web portal authentication)

Solutions to provision the guest accounts

Aspects of Reporting and Monitoring


Agenda

Introduction

Guest Access Service Requirements

Deploying Secured Wireless Networksupporting Wireless and Wired Guest Access

Guest Policy Enforcement

Guest Access Provisioning

Guest Authentication Portal

Guest Life Cycle Management and Reporting


Drivers for Guest Network Access

Visitor Access

for VPN

Providing a Positive

Visitor Experience

Streamlining IT

Management and Control

Guest

Access

Internet Access

for Customers

Contractor Secured

Internal Network

Access

On-Site Vendor

Demos

Segmenting Visitors

from Subsidiaries

Network Integrity

and Security

Customized

Access

Simplified

Network Design

Cost-Effective

Deployment and

Operations

Balancing the Needs of Guest

Users and IT Departments


Types of Network Users

Corporate

Employees

• Need internal

network access

• Can be role

based to allow

granular access if

needs require

• Need restricted

internal access

• Printers

• File shares

• Specific

applications

• Device support

Contractors/

Consultants

Guests

Users

• Internet

access only

• No need to

access internal

systems

• Segment access

completely

Full

Access

Internet

OnlyCisco Guest Services Give You Control


Requirements for Secure Guest AccessTechnical

Usability

Monitoring

No access until authorized Guest traffic should be segregated from the internal network Web-based authentication Full auditing of location, MAC, IP address, username Overlay onto existing enterprise network Bandwidth and QoS management

No laptop reconfiguration, no client software required Plug & Play Splash screens and web content can differ by location Easy administration by non-IT staff ―Guest network‖ must be free or cost-effective

and non-disruptive

Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted

Logging and Monitoring Must not require guest desktop software or configuration


Deploying Secured Wireless and Wired Network for Guest Access


Functional Components of a Guest Access Solution

IT Admin Function

Guest User Function

Employee Function

IT Admin Functions

Path Isolation and Network Segmentation

UserProvisioning

UserLogin Portal

Reporting and Tracking

Guest Services and User PolicyManagement

Tunnels or VLANs

Differentiated access by user

Guest

Guest provisioning web portal

Guest user intercept web auth portal

Audit trails

Reporting


Access Control Standalone AP Deployments

Use of a 802.1Q trunk for switch to AP connection to carry all the defined VLANs (one VLAN per SSID)

Isolation of guest traffic in the L2 domain using a dedicated guest VLAN associated to the guest SSID

Traffic isolation provided by VLANs is valid up to the first L3 hop device

Distribution layer (Multilayer Campus design)

Access layer (Routed Access Campus design)

Wireless

VLANs

Campus

Core

Guest Emp Guest Emp

EmpGuest EmpGuest

SSIDs SSIDs

SiSi SiSi


Guest Access Control Cisco WLAN Controller Deployments

LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)

Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs

Control and data traffic tunneled to the controller via LWAPP/CAPWAP: data uses UDP 12222/5247 control uses UDP 12223/5246

Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID

Traffic isolation provided by VLANs is valid up to the switch where the controller is connected

Campus

CoreLWAPP/CAPWAP LWAPP/CAPWAP

WiSM WLAN Controller

Guest Emp Guest EmpLWAPP—Lightweight Access Point Protocol

CAPWAP - Control And Provisioning of Wireless Access Points

SiSi

SiSi SiSi

Wireless

VLANs


Guest Access Control WLAN Controller Deployments

vlan 2

name AP_Mgmt

!

interface FastEthernet0/1

description link to AP

switchport access vlan 2

switchport mode access

Access Layer Switch

vlan 3

name Employee_VLAN

!

vlan 4

name Guest_VLAN

!

interface Vlan3

description Employee_VLAN

ip address 10.10.3.1 255.255.255.0

!

interface Vlan4

description Guest_VLAN

ip address 10.10.4.1 255.255.255.0

!

interface GigabitEthernet1/0/1

description Trunk Port to Cisco WLC

switchport trunk encapsulation dot1q

switchport trunk native vlan 2

switchport trunk allowed vlan 2-4

switchport mode trunk

no shutdown

Cisco Catalyst Switch

(Connected to WLAN Controller)

No Trunk Between AP and

Access Layer Switch, Only

AP Mgmt VLAN Defined

SVIs Corresponding to

Each SSID Are

Defined Here



Create the employee and guest VLAN in the controller



Map the employee/guest WLAN in the controllerto the respective employee/guest VLAN


Components of a Guest Access SolutionPath Isolation

IT Admin Function

Guest User Function

Employee Function

IT Admin Functions


UserProvisioning

UserLogin Portal



Tunnels or VLANs


Guest



Audit trails

Reporting


LWAPP/CAPWAP

LWAPP/CAPWAP

Standalone APLWAPP/CAPWAP AP

LWAPP/CAPWAP AP

Access Control End-to-End Wireless Traffic Isolation

The fact

VLAN isolation for standaloneAPs valid up to the first L3 hop

Traffic isolation achieved via LWAPP/CAPWAP valid from the AP to the WLAN Controller (centralized deployment is recommended)

The challenge

How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?


Path Isolation Why Do We Need It for Guest Access?

Extend traffic logical isolation end-to-end over L3 network domain

Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, etc.)

Securely transport the guest traffic across the internal network infrastructure

LWAPP/CAP WAP

LWAPP/CAP WAP


Path Isolation WLAN Controller Deployments with EoIP Tunnel

Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers

Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN

No need to define the guest VLANs on the switches connected to the remote controllers

Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels

Redundant EoIP tunnels to the Anchor WLC

2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC

Guest WLAN

Controller (Anchor)

Campus

Core

EoIP

―Guest

Tunnel‖

EoIP

―Guest

Tunnel‖

LWAPP LWAPP

Internet

Guest Emp Guest Emp

SiSi

SiSi SiSiEmp Emp

Wireless

VLANs


Path Isolation WLAN Controller Deployments with EoIP Tunnel

Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers

Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN

No need to define the guest VLANs on the switches connected to the remote controllers

Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels

Redundant EoIP tunnels to the Anchor WLC

2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC

Wireless LAN

Controller

Cisco ASA

Firewall

Guest

LWAPP/CAPWAP

EoIP

“Guest Tunnel”

Internet

Guest

DMZ or Anchor

Wireless Controller


Guest Path Isolation

Specify a mobility group for each WLC

Open ports for:

Inter-Controller Tunneled Client Data

Inter-Controller Control Traffic

Configure the mobility groups and add the MAC-addressand IP address of the remote WLC

Create identical WLANs on the Remote and Anchor controllers

Create the Mobility Anchor for the Guest WLAN

Modify the timers in the WLCs

Check the status of the Mobility Anchors for the WLAN

Pros

Simple configuration

Overlay solution: no need to

modify the network configuration

Cons

Support for wireless and wired (layer-

2 adjacent) guest clients only

Limited to WLAN Controllers wireless

deployments

Building the EoIP Tunnel



Each WLC is part of a mobility group

WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration



Configure the mobility groups and add the MAC-addressand IP address of the remote WLCs

WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration

Anchor

Remote


Configure guest VLANs on the Remote and Anchor controllers

Guest Path Isolation WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration

Remote

Anchor


Create the mobility anchor for the guest WLAN on Remote WLCs

Guest Path Isolation WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration


Create the Mobility Anchor for the guest WLAN on Anchor WLC

Guest Path Isolation WLAN Controller Deployments with EoIP TunnelAnchor Controller Configuration


Modify the timers on the Anchor WLCs

Path Isolation WLAN Controller Deployments with EoIP TunnelAnchor Controller

Check the status of the mobility anchors for the WLAN



Open ports in both directions for:

EoIP packets IP protocol 97

Mobility UDP Port 16666 (non-secured) or 16667 (secured IPSec tunnel)

Inter-Controller CAPWAP Data/Control Traffic UDP 5247/5246

Inter-Controller LWAPP Data/Control Traffic UDP 12222/12223

Optional management/operational protocols:

SSH/Telnet TCP Port 22/23

TFTP UDP Port 69

NTP UDP Port 123

SNMP UDP Ports 161 (gets and sets) and 162 (traps)

HTTPS/HTTP TCP Port 443/80

Syslog TCP Port 514

RADIUS Auth/Account UDP Port 1812 and 1813

Must

be Open!

Firewall Ports and Protocols

Do NOT

Open!


interface Ethernet0/1

nameif inside

security-level 100

ip address 10.50.10.26 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.10.51.1 255.255.255.0

!

access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666

access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667

access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2

!

global (dmz) 1 interface

nat (inside) 1 10.70.0.0 255.255.255.0

static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255

access-group DMZ in interface dmz

Path Isolation Sample Firewall Configuration


Show Commands

Show Mobility Summary


Show Commands

Show Mobility Anchor

Show Mobility Statistics


Show Commands—Remote andAnchor WLC

(Cisco Controller) >show client detail 00:40:96:ad:0d:1b

Client MAC Address............................... 00:40:96:ad:0d:1b

Client Username ................................. N/A

AP MAC Address................................... 00:14:1b:59:3f:10

Client State..................................... Associated

Wireless LAN Id.................................. 1

BSSID............................................ 00:14:1b:59:3f:1f

Channel.......................................... 64

IP Address....................................... Unknown

Association Id................................... 1

Authentication Algorithm......................... Open System

Reason Code...................................... 0

Status Code...................................... 0

Session Timeout.................................. 0

Client CCX version............................... 5

Client E2E version............................... No E2E support

Mirroring........................................ Disabled

QoS Level........................................ Silver

Mobility State................................... Export Foreign

Mobility Anchor IP Address....................... 10.70.0.2

Mobility Move Count.............................. 0

Security Policy Completed........................ Yes

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

NPU Fast Fast Notified........................... Yes

Policy Type...................................... N/A

Encryption Cipher................................ None

Management Frame Protection...................... No

EAP Type......................................... Unknown

Interface........................................ guest-vlan

VLAN............................................. 4

(Cisco Controller) >show client detail 00:40:96:ad:0d:1b

Client MAC Address............................... 00:40:96:ad:0d:1b

Client Username ................................. guest1

AP MAC Address................................... 00:00:00:00:00:00

Client State..................................... Associated

Wireless LAN Id.................................. 2

BSSID............................................ 00:00:00:00:00:01

Channel.......................................... N/A

IP Address....................................... 10.50.10.128

Association Id................................... 0

Authentication Algorithm......................... Open System

Reason Code...................................... 0

Status Code...................................... 0

Session Timeout.................................. 0

Mirroring........................................ Disabled

QoS Level........................................ Silver

Mobility State................................... Export Anchor

Mobility Foreign IP Address...................... 10.50.10.26

Mobility Move Count.............................. 1

Security Policy Completed........................ Yes

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

NPU Fast Fast Notified........................... Yes

Policy Type...................................... N/A

Encryption Cipher................................ None

Management Frame Protection...................... No

EAP Type......................................... Unknown

Interface........................................ guest

VLAN............................................. 4

Show client detail mac_addressRemote Anchor


Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined

Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive

Once an Anchor WLC failure is detected a DEAUTH is send to the client

Remote WLC will keep on monitoring the Anchor WLC

Under normal conditions round-robin fashion is used to balance clients between Anchor WLCs

Campus

Core

EtherIP

―Guest

Tunnel‖

EtherIP

―Guest

Tunnel‖

LWAPP/CAP WAP LWAPP/CAP WAP

Internet

Guest Secure Guest Secure

SiSi

SiSi SiSiSecure Secure

Wireless

VLANs

Guest VLAN 10.10.60.x/24

Management 10.10.80.3

Management

10.10.75.2

Management

10.10.76.2

F1

A1 A2

Primary Link

Redundant Link

Guest Network Redundancy


Wireless Guest Access—Deployment Options Summary

EoIP

DMZ WLC

WCS

WCS

Internet

LAN LAN

Internet

LAN

Internet

Cisco Standalone APs

Cisco Unified Wireless—

No DMZ Controller

Cisco Unified Wireless—

DMZ Controller

Provisioning Portal No Yes Yes

User Login Portal No Yes Yes

Traffic SegmentationVLANs thru

NetworkVLANs thru

NetworkYes—Tunnels

or VLANs

User Policy Management No Yes Yes

Reporting No Yes Yes

Overall Functionality Low Medium High

Overall Design Complexity Medium Medium Low

Standalone No DMZ WLC DMZ WLC


Deploying Secured Wired Guest Access


Controller software version 4.2 and above provides one unified solution for both wired and wireless guest access

Allows organizations to leverage existing wireless infrastructure to provide guest access on the LAN

Universal provisioning interface and captive portal provides ease of guest user provisioning and consistent network access

Enables the ability to leverage common guest user policies for both wired and wireless network access

Unified Wired and Wireless DeploymentWired Guest Access


Guest Access for Wired LAN

Wireless LAN Controllers version 4.2 and above offer Wired Guest Access

Wired Guest VLAN must be L2adjacent with WLC

Wired Guest VLAN can be fallbackVLAN in 802.1x/EAP authenticationon switch

Supported on WLC-4400, 5500series, Catalyst 3750 Wirelessand Catalyst 6500 with WiSM

Overview

Wireless

VLANs

Campus

Core

EtherIP

“Guest

Tunnel”

EtherIP

“Guest

Tunnel”

LWAPP LWAPP

Internet

SiSi

SiSi SiSiSecure Secure

Guest Secure Guest Secure

Wired Client

Layer-2

Switch


Unified Wired and WirelessGuest Access

Wired Guest ports provided in designated location and plugged into an Access Switch

The configuration on the Access switch puts these ports into wired guest – layer 2 VLAN

On a single WLAN Controller the Guest VLAN will be trunked into WLC

On a multi controller deploymentwith Auto Anchor mode the guestVLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller

Wired Guest Access

Wireless LAN

Controller

DMZ or Anchor

Wireless LAN

Controller

Cisco ASA

Firewall

Wired Guest

Isolated L2 VLAN

EoIP Tunnel

Internet

Corporate

Intranet

Wireless Guest


Five guest LANs for wired guest access are supported

Admin can create wired guest VLANs on the WLC and associate it with the guest LAN

Web-auth will be the default security on a wired guest LAN, but open and web pass-thru is also supported

No L2 security is supported, like 802.1x

Multicast and broadcast traffic will be droppedon wired guest VLANs

Wired guest access will be supported on a single guest WLC scenario or Anchor-Foreign Guest WLC scenario

Wired Guest AccessDeployment Requirements


Create a dynamic interface as guest LAN

which will be the ingress interface

DHCP server information is not required

DHCP server information is required on the egress dynamic interface

Wired Guest AccessDeployment Steps


Create wired WLAN as ―Guest LAN‖ type

Wired Guest Access Configuration


Assign the Ingress and Egress Interfaces

Ingress interface is the wired guest LAN

Egress interface could be the management or any dynamic interface

Wired Guest Access Configuration


Wireless and Wired Guest Configuration

Wireless and wired guest WLAN


Architecture Summary

Wireless is the preferred Guest Access technology because it provides no Physical connectivity to corporate network.

Using Multiple BSSID allow for WLAN Virtualization. Each WLAN seems to come from a separateAccess Point.

Anchor Controller in Guest DMZ allow for full Path Isolation from Access Point to Guest DMZ.

Cisco ASA Firewall allow only EoIP traffic between Wireless LAN Controllers

Cisco ASA Firewall also provides advancedsecurity features for Guest control


Guest Services Policy Enforcement


IT Admin Function

Guest User Function

Employee Function

IT Admin Functions


UserProvisioning

UserLogin Portal



Tunnels or VLANs


Guest



Audit trails

Reporting

Components of a Guest Access SolutionPolicy Management


Several Guest SSIDs can be defined on WLCs.

Each SSID can have its own rules (ACL, wired interface, Pre-auth ACL, …)

Lobby administrators can select appropriate SSID profile depending on guest type (visitor, contractor, customer, …)

Policy EnforcementDifferentiated Guest Services per SSID


ACL can be applied per wired VLAN associated to guest SSID

ACL can be override per SSID

ACL can, in some provisioning situations, be per user or per user groups (Guests authenticated by RADIUS server)

Policy EnforcementUsing ACL for Guest Traffic


Pre-auth ACL allow for specific traffic to be forwarded evenif the guest is not web authenticated.

Pre-auth ACL can be used for allowing access toVPN services, free web services, …

Policy EnforcementUsing ACL for Guest Traffic


Specify bandwidth limitations and policies by individual user or group

Ability to allocate resources by specific job function or throughput requirements

Organization’s overall network performance is enhanced

Increased granularity and control improves network security

Guest Emp

Wireless

VLANs

Campus

Core

LWAPP/CAPWAP LWAPP/CAPWAP

Internet

SiSi

SiSiEmp SiSi

Anchor

Controller

Guest Emp

Emp

WLC

Accounting

Contractor:

(Best Effort)

Network Admin

Contractor:

4Mbps (High Speed)

SSID = ACCT SSID = CONTRACTOR

Policy EnforcementGuest Network Bandwidth Contracts


QoS Profiles can be created per type of guests(customer, contractors, visitors, …)

Ability to allocate resources by specific job function or throughput requirements

Organization’s overall network performance is enhanced

When creating a Guest account the lobby admin will be able to use one of the defined profiles

QoS policy will applydownstream

Policy EnforcementQoS Profile


Guest Services Provisioning


Components of a Guest Access Solution

IT Admin Function

Guest User Function

Employee Function

IT Admin Functions


UserProvisioning

UserLogin Portal



Tunnels or VLANs


Guest



Audit trails

Reporting

Guest Access Services


Requirements for Guest Provisioning

Might be performed by non IT personal

Must deliver basic features, but might also require advanced features:

Duration,

Start/End Time,

Bulk provisioning, …

Provisioning Strategies :

Lobby Ambassador

Employees


Guest Accounts are created by lobby ambassadorsat reception desks

Pros

• Easier for Employees

• Access code can be delivered

with access badges

• No identified employee sponsor

• Lobby Ambassador are often not

employees and change regularly

(tracking concern)

• When in meeting room and

internet access needed, go back to

reception

Cons

Provisioning StrategyLobby Ambassador


Guest Accounts are created by employees,using an Intranet service

Pros

• Easy tracking of guest access

sponsor (better tracking)

• Access code can be generated

when needed, and not only at

reception

• Employee can proactively create

access codes and send it by

email to visitors

• Employees need to be aware of

guest service and able to use it.

• Guest provisioning tool need to be

interconnected to enterprise

directory.

Cons

Provisioning StrategySponsor Employees


Multiple Guest Provisioning Services

Cisco Guest Access Solution support several provisioning tools, with different feature richness.

Cisco

Wireless LAN Control

Basic Provisioning

Cisco

Wireless Control System

Advanced Provisioning

Cisco

NAC Guest Server

Dedicated Provisioning

Customer Server

Customized ProvisioningIncluded in Cisco Wireless LAN Solution

Additional Cisco

Product

Customer

Development




Cisco


Cisco


Cisco

NAC Guest Server

Customer Server


Lobby Ambassador accounts can be createddirectly on Wireless LAN Controllers

Lobby Ambassadors will have limited guest feature available to create a user directly on WLC:

Create Guest User – up to 2048 entries

Set time limitation – up to 30 day

Set Guest SSID

Set QoS Profile

Guest Provisioning ServiceCisco Wireless LAN Controller


Configure the local internal database of the WLC

2048 entries can be stored in the local database per WLC

Guest usernames are deleted automaticallyafter the activity period

Campus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

SiSi

SiSi SiSiEmp Emp

Wireless

VLANs

Guest

WLC

Guest ServicesSupport on WLC with Local Database


Corporate

Network

Wireless LAN ControllerPolicy Enforcement

Guest Web Portal

GuestVisitor, Contractor, Customer

Lobby AmbassadorEmployee Sponsor

Internet

1

2

3

4

WLC Provisioning ServiceUsing Internal WLC DB

1- Lobby Ambassador create Guest Account on WLC

2- Credentials are delivered to Guest by Print or Email

3- Guest Authenticationon Guest portal

4- Traffic can go through


Guest Provisioning Service

Lobby administrator can be created in WLC directly

Create the Lobby Admin in WLC



Guest User List New user with Lifetime up to 30 days

Add a ―Guest‖ User on the WLC




Cisco


Cisco


Cisco

NAC Guest Server

Customer Server


WCS offer specific Lobby Ambassadoraccess for Guest management only

Lobby Ambassador accounts can be created directlyon WCS, or be defined on external RADIUS/TACACS+ servers

Lobby Ambassadors on WCS are able to createguest accounts with advanced features like:

Start/End time and date, duration,

Bulk provisioning,

Set QoS Profiles,

Set access based on WLC, Access Points, or location

Guest Provisioning ServiceCisco Wireless Control System


WCS Provisioning Service

1. Lobby Ambassador create Guest Account with policies

2. Guest Account credentials& rules are pushed to WLC

3. Credentials are delivered to Guest by Print or Email with customized Logo

4. Guest Authenticationon Guest portal

5. SNMP Trap with guest login information (MAC@, IP@, …)

6. Traffic can go through

Corporate

Network


Guest Web Portal


WCSLobby Ambassador Portal

Guest Account Database

Monitoring & reporting`


Internet

1

2

3

4

5

6

Using Internal DB and Reporting Capabilities


User created in WCS with Lobby Ambassador (LA) privilege

Lobby Ambassador user logs into the WCS to create guest user accounts

Guest Provisioning ServiceLobby Ambassador Feature in WCS


Associate the lobby admin with Profile and Location specific information

Guest Provisioning ServiceLobby Ambassador Feature in WCS


Guest Provisioning ServiceAdd a Guest User with WCS


Guest Provisioning ServicePrint/E-Mail Details of Guest User


Guest Provisioning ServiceSchedule a Guest User

Configure Controller Template > Schedule Guest User


Guest Provisioning ServiceDetails About the Guest User(s)


Integrated Device Management Cisco Wireless Control System

Guest Provisioning Service SummaryController and WCS




Cisco


Cisco


Cisco

NAC Guest Server

Customer Server



Dedicated external server

Complete provisioning, accounting, reporting and billing services

Advanced feature full Sponsor and Guest user policies

Large guest account base using RADIUS

Easy Integration with Clean Access and WLC

Email & SMS notifications

Sponsor authentication through local database, LDAP or Active Directory

Cisco NAC Guest Server


1. IT Administrator configures NGS:

Sponsor or LA access rights

Declare Guest Anchor WLC in NGS

Configure security/policy rules

2. IT Admin configures WLCto use Cisco NGS:

Define Guest SSID

Associate NGS as RADIUS Server

Corporate

Network


Guest Web Portal


NAC Guest ServerLobby Ambassador Portal


Monitoring & reporting


Internet

IT AdminNetwork/Solution Mgt

1

2

Cisco NAC Guest ServerNGS Configuration


Admin portal is required to configure the device

Cisco NAC Guest ServerAdmin Interface


The sponsor account can be a local user inNGS, LDAP server or Active Directory Account

Cisco NAC Guest ServerSponsor Authentication: Local Account/AD


Username Policy1. E-mail address

2. First and last name

3. Alphabetic, numeric and special characters

Password Policy

1. Alphabetic characters

2. Numeric characters

3. Special characters

Cisco NAC Guest ServerGuest Policy: Username/Password Policy


Add the WLC that performs WebAuth as a RADIUS Client in the NGS

NGS uses standard RADIUS Attribute 27 (session-timeout)

Cisco NAC Guest ServerWLC Integration: Guest Server Configuration


Sponsor will have three ways to inform guest

1. Printing the details

2. Sending the details via e-mail

3. Sending the details via SMS

Cisco NAC Guest ServerInforming Guest


1. Sponsor creates Guest Account through dedicated NGS server

2. Credentials are delivered to Guest by print, email or SMS

3. Guest Authentication on Guest portal

4. RADIUS Request from WLC to Cisco NGS Server

5. RADIUS Response with policies (session timeout, …)

6. RADIUS Accounting with session information (time, login, IP, MAC, …)

7. Traffic can go through

Corporate

Network


Guest Web Portal


NAC Guest ServerLobby Ambassador Portal


Monitoring & reporting


Internet

RADIUS Requests

1

2

3

4

5

6

7

RADIUS

Accounting

Cisco NAC Guest ServerGuest User Creation


Cisco NAC Guest ServerSponsor Portal: Create and Print Guest Access Credentials


Cisco NAC Guest ServerSponsor Portal: Guest Reports and Logs




Cisco


Cisco


Cisco

NAC Guest Server

Customer Server


Customer or third-party partners can createtheir own provisioning service

Customized provisioning can interact withCisco Guest Solution at several levels:

At WLC level using RADIUS protocol

AT WCS level using SOAP/XML API

At NGS Level using API and XML

Guest Provisioning ServiceCustomer/Partner Server


Guest Access ServiceUser Provisioning


IT Admin Function

Guest User Function

Employee Function

IT Admin Functions


UserProvisioning

UserLogin Portal



Tunnels or VLANs


Guest



Audit trails

Reporting

Components of a Guest Access SolutionUser Provisioning


How does a wireless user connect to the network?

Associate to the access point using an SSID

For each defined SSID we can have a different authentication method (EAP type)

Guest user associates usually using Open Guest SSID

Easiest deployment, no configuration required on the client side

SSID—Service Set Identifier

Guest Access ServicesWireless Clients


Step-by-step Guest Access Service

IT Admin define Guest Policies and Employee service access policies

Lobby Ambassador or Employee Sponsor create Guest access credentials

Provisioning server configure WLC

Guest credential delivered to guest by print, email or SMS

Guest associate to open guest WiFi service, is intercepted by WLC

WLC, NGS or Clean Access push guest portal, guest provide credentials

Guest has internet access


Guest Web Portal

Corporate NetworkWith Path Isolation

Internet

Guest ProvisioningWCS, NGS, …



IT AdminNetwork/Solution Mgt

AAA ServerTACACS+, LDAP

1

2

3

4

5

6

7


User Login Portal


IT Admin Function

Guest User Function

Employee Function

IT Admin Functions


UserProvisioning

UserLogin Portal



Tunnels or VLANs


Guest



Audit trails

Reporting

Components of a Guest Access SolutionUser Login Portal


Guest Authentication Portal is performed by the WLC

When deploying a guest DMZ, the authentication portal will be performed by the Anchor WLC in the DMZ

WLC Guest Authentication Portal support 3 modes:

Internal

Customized (Download)

External (Re-direct to external server)

Guest Authentication PortalOverview


Guest Authentication PortalInternal Web Portal


Wireless guest user associates to the guest SSID

Initiates a browser connection to any website

Web login page will displayed

Campus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

SiSi

SiSi SiSiEmp Emp

Wireless

VLANs

Guest

WCS WLC

Guest Wireless

Client

Guest Authentication PortalInternal Web PortalWeb Login Page on the Client


Guest Authentication PortalExternal Web Portal

Web Portal—External Web Server on WLC

Campus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

SiSi

SiSi SiSiEmp Emp

Wireless

VLANs

Guest

WLCEternal

Web Server


Guest Authentication PortalExternal Web PortalConfiguring Customized WebAuth in WCS

Download a sample copy of the customized WebAuth page from WCS

Customize the WebAuth page as per your requirements

Upload the newly customized WebAuth page to the Anchor WLC

Campus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

SiSi

SiSi SiSiEmp Emp

Wireless

VLANs

Guest

WCS


Services Edge Configuring Customized WebAuth in WCS

Upload the customized web page to the Anchor WLC

Customized WebAuth bundle can contain

22 login pages (16 WLANs , 5 Wired LANs and 1 Global)

22 login failure pages (in WCS 5.0 and up )

22 login successful pages (in WCS 5.0 and up)

Campus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

SiSi

SiSi SiSiEmp Emp

Wireless

VLANs

Guest

WCS


Services Edge Sample Customized WebAuth in WCS

Sample webauth bundle with customized login.html, logout.html and loginfailure.html file

Campus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

SiSi

SiSi SiSiEmp Emp

Wireless

VLANs

Guest

WCS


Create your own Guest Access Portal web page

Download it in the guest WLC

Configure the WLC to use ―customizable web portal‖

Guest Authentication PortalCustomizable Web Portal


Guest Services Reporting and Tracking


IT Admin Function

Guest User Function

Employee Function

IT Admin Functions


UserProvisioning

UserLogin Portal



Tunnels or VLANs


Guest



Audit trails

Reporting

Components of a Guest Access SolutionReporting and Tracking


Guest User Reports and Tracking

WCS Guest User reports can be used for Guest usage monitoring and tracking.

WCS is able to generate scheduled guest usage reports and save them as CSV files.

Tracked information in WLC/WCS are:

Lobby login who creates the guest account

Guest login

Start & End guest session

Guest MAC@

Guest IP@

Used WLC and Connected AP

Not tracked information in WLC/WCS are:

UDP/TCP sessions (IP destinations, UDP/TCP ports)

HTTP URLs, … any L4 information

For extended stream tracking useCisco ASA logging features


Guest User Legal Tracking

WLC sends SNMP traps for guest access reporting

WLC sends RADIUS accounting packetson guest access sessions


Guest User Reports in WCS

Guest Tracking report


Summary


What We Have Covered…

What a Guest Access Service is made of

Need for a secured infrastructure to supportisolated Guest traffic. Unified Wireless is akey component of this infrastructure.

Components of the Guest Service are integratedin Cisco Unified Solution but can be complementedat several levels.

Project deployments might have to takecare of ―Reporting and Tracking‖ aspectsdepending on regions.


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

http://www.ciscolive.com/


Remote4.1.185 4.2.112 5.0.148 5.1.78 6.0.182

4.1.185

4.2.112

5.0.148

5.1.78

6.0.182

Anchor

EoIP Tunnel Combination BetweenWLC Versions


Acronyms

VPN—Virtual Private Network

ACL—Access Control List

ACE—Access Control Entries

SSID—Service Set Identifier

MPLS—Multiprotocol Label Switching

DHCP—Dynamic Host Configuration Protocol

DNS—Dynamic Name Services

EAP—Extensible Authentication Protocol

EAPoL—EAP over LAN

AAA—Authentication, Authorization and Accounting

RADIUS—Remote Authentication Dial-In User Service

CDP—Cisco Discovery Protocol

MDA—Multi Domain Authentication

IBNS—Identity-Based Networking Services

WLAN—Wireless LAN

AP—Access Point

WLC—WLAN Controller

LWAPP—Lightweight Access Point Protocol

QoS—Quality of Service

VRF—Virtual Routing/ Forwarding

GRE—Generic Routing Encapsulation

mGRE—Multipoint GRE

IGP—Interior Gateway Protocol

EIGRP—Enhanced Interior Gateway Routing Protocol

OSPF—Open Shortest Path First

WAN—Wide Area Network

SVI—Switched Virtual Interface

EoIP—Ethernet over IP

brkagg-2016_c2_rev4

Documents

Transcript of brkagg-2016_c2_rev4