Date post: | 27-Oct-2015 |
Category: |
Documents |
Upload: | radu1020305597 |
View: | 15 times |
Download: | 2 times |
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1
Designing Guest Access with the Cisco Unified Wireless Network
BRKAGG-2016
Mike Adler
WNBU TME
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 2
What You Will Learn…
What are the requirements of a Guest Access Service
How to design and implement a secured Guest Access Service using Cisco Unified Wireless Network
The authentication alternatives to control Guest Access (Web portal authentication)
Solutions to provision the guest accounts
Aspects of Reporting and Monitoring
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 3
Agenda
Introduction
Guest Access Service Requirements
Deploying Secured Wireless Networksupporting Wireless and Wired Guest Access
Guest Policy Enforcement
Guest Access Provisioning
Guest Authentication Portal
Guest Life Cycle Management and Reporting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 4
Drivers for Guest Network Access
Visitor Access
for VPN
Providing a Positive
Visitor Experience
Streamlining IT
Management and Control
Guest
Access
Internet Access
for Customers
Contractor Secured
Internal Network
Access
On-Site Vendor
Demos
Segmenting Visitors
from Subsidiaries
Network Integrity
and Security
Customized
Access
Simplified
Network Design
Cost-Effective
Deployment and
Operations
Balancing the Needs of Guest
Users and IT Departments
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 6
Types of Network Users
Corporate
Employees
• Need internal
network access
• Can be role
based to allow
granular access if
needs require
• Need restricted
internal access
• Printers
• File shares
• Specific
applications
• Device support
Contractors/
Consultants
Guests
Users
• Internet
access only
• No need to
access internal
systems
• Segment access
completely
Full
Access
Internet
OnlyCisco Guest Services Give You Control
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 7
Requirements for Secure Guest AccessTechnical
Usability
Monitoring
No access until authorized Guest traffic should be segregated from the internal network Web-based authentication Full auditing of location, MAC, IP address, username Overlay onto existing enterprise network Bandwidth and QoS management
No laptop reconfiguration, no client software required Plug & Play Splash screens and web content can differ by location Easy administration by non-IT staff ―Guest network‖ must be free or cost-effective
and non-disruptive
Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted
Logging and Monitoring Must not require guest desktop software or configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 8
Deploying Secured Wireless and Wired Network for Guest Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 9
Functional Components of a Guest Access Solution
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Path Isolation and Network Segmentation
UserProvisioning
UserLogin Portal
Reporting and Tracking
Guest Services and User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trails
Reporting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 10
Access Control Standalone AP Deployments
Use of a 802.1Q trunk for switch to AP connection to carry all the defined VLANs (one VLAN per SSID)
Isolation of guest traffic in the L2 domain using a dedicated guest VLAN associated to the guest SSID
Traffic isolation provided by VLANs is valid up to the first L3 hop device
Distribution layer (Multilayer Campus design)
Access layer (Routed Access Campus design)
Wireless
VLANs
Campus
Core
Guest Emp Guest Emp
EmpGuest EmpGuest
SSIDs SSIDs
SiSi SiSi
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 11
Guest Access Control Cisco WLAN Controller Deployments
LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)
Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs
Control and data traffic tunneled to the controller via LWAPP/CAPWAP: data uses UDP 12222/5247 control uses UDP 12223/5246
Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID
Traffic isolation provided by VLANs is valid up to the switch where the controller is connected
Campus
CoreLWAPP/CAPWAP LWAPP/CAPWAP
WiSM WLAN Controller
Guest Emp Guest EmpLWAPP—Lightweight Access Point Protocol
CAPWAP - Control And Provisioning of Wireless Access Points
SiSi
SiSi SiSi
Wireless
VLANs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 12
Guest Access Control WLAN Controller Deployments
vlan 2
name AP_Mgmt
!
interface FastEthernet0/1
description link to AP
switchport access vlan 2
switchport mode access
Access Layer Switch
vlan 3
name Employee_VLAN
!
vlan 4
name Guest_VLAN
!
interface Vlan3
description Employee_VLAN
ip address 10.10.3.1 255.255.255.0
!
interface Vlan4
description Guest_VLAN
ip address 10.10.4.1 255.255.255.0
!
interface GigabitEthernet1/0/1
description Trunk Port to Cisco WLC
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2-4
switchport mode trunk
no shutdown
Cisco Catalyst Switch
(Connected to WLAN Controller)
No Trunk Between AP and
Access Layer Switch, Only
AP Mgmt VLAN Defined
SVIs Corresponding to
Each SSID Are
Defined Here
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 13
Guest Access Control WLAN Controller Deployments
Create the employee and guest VLAN in the controller
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 14
Guest Access Control WLAN Controller Deployments
Map the employee/guest WLAN in the controllerto the respective employee/guest VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 15
Components of a Guest Access SolutionPath Isolation
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Path Isolation and Network Segmentation
UserProvisioning
UserLogin Portal
Reporting and Tracking
Guest Services and User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trails
Reporting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 16
LWAPP/CAPWAP
LWAPP/CAPWAP
Standalone APLWAPP/CAPWAP AP
LWAPP/CAPWAP AP
Access Control End-to-End Wireless Traffic Isolation
The fact
VLAN isolation for standaloneAPs valid up to the first L3 hop
Traffic isolation achieved via LWAPP/CAPWAP valid from the AP to the WLAN Controller (centralized deployment is recommended)
The challenge
How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 17
Path Isolation Why Do We Need It for Guest Access?
Extend traffic logical isolation end-to-end over L3 network domain
Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, etc.)
Securely transport the guest traffic across the internal network infrastructure
LWAPP/CAP WAP
LWAPP/CAP WAP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 18
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers
Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN
No need to define the guest VLANs on the switches connected to the remote controllers
Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels
Redundant EoIP tunnels to the Anchor WLC
2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
Guest WLAN
Controller (Anchor)
Campus
Core
EoIP
―Guest
Tunnel‖
EoIP
―Guest
Tunnel‖
LWAPP LWAPP
Internet
Guest Emp Guest Emp
SiSi
SiSi SiSiEmp Emp
Wireless
VLANs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 19
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers
Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN
No need to define the guest VLANs on the switches connected to the remote controllers
Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels
Redundant EoIP tunnels to the Anchor WLC
2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
Wireless LAN
Controller
Cisco ASA
Firewall
Guest
LWAPP/CAPWAP
EoIP
“Guest Tunnel”
Internet
Guest
DMZ or Anchor
Wireless Controller
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 20
Guest Path Isolation
Specify a mobility group for each WLC
Open ports for:
Inter-Controller Tunneled Client Data
Inter-Controller Control Traffic
Configure the mobility groups and add the MAC-addressand IP address of the remote WLC
Create identical WLANs on the Remote and Anchor controllers
Create the Mobility Anchor for the Guest WLAN
Modify the timers in the WLCs
Check the status of the Mobility Anchors for the WLAN
Pros
Simple configuration
Overlay solution: no need to
modify the network configuration
Cons
Support for wireless and wired (layer-
2 adjacent) guest clients only
Limited to WLAN Controllers wireless
deployments
Building the EoIP Tunnel
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 21
Guest Path Isolation
Each WLC is part of a mobility group
WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 22
Guest Path Isolation
Configure the mobility groups and add the MAC-addressand IP address of the remote WLCs
WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration
Anchor
Remote
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 23
Configure guest VLANs on the Remote and Anchor controllers
Guest Path Isolation WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration
Remote
Anchor
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 24
Create the mobility anchor for the guest WLAN on Remote WLCs
Guest Path Isolation WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 25
Create the Mobility Anchor for the guest WLAN on Anchor WLC
Guest Path Isolation WLAN Controller Deployments with EoIP TunnelAnchor Controller Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 26
Modify the timers on the Anchor WLCs
Path Isolation WLAN Controller Deployments with EoIP TunnelAnchor Controller
Check the status of the mobility anchors for the WLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 27
Guest Path Isolation
Open ports in both directions for:
EoIP packets IP protocol 97
Mobility UDP Port 16666 (non-secured) or 16667 (secured IPSec tunnel)
Inter-Controller CAPWAP Data/Control Traffic UDP 5247/5246
Inter-Controller LWAPP Data/Control Traffic UDP 12222/12223
Optional management/operational protocols:
SSH/Telnet TCP Port 22/23
TFTP UDP Port 69
NTP UDP Port 123
SNMP UDP Ports 161 (gets and sets) and 162 (traps)
HTTPS/HTTP TCP Port 443/80
Syslog TCP Port 514
RADIUS Auth/Account UDP Port 1812 and 1813
Must
be Open!
Firewall Ports and Protocols
Do NOT
Open!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 28
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.50.10.26 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.10.51.1 255.255.255.0
!
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667
access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2
!
global (dmz) 1 interface
nat (inside) 1 10.70.0.0 255.255.255.0
static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255
access-group DMZ in interface dmz
Path Isolation Sample Firewall Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 29
Show Commands
Show Mobility Summary
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 30
Show Commands
Show Mobility Anchor
Show Mobility Statistics
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 31
Show Commands—Remote andAnchor WLC
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. N/A
AP MAC Address................................... 00:14:1b:59:3f:10
Client State..................................... Associated
Wireless LAN Id.................................. 1
BSSID............................................ 00:14:1b:59:3f:1f
Channel.......................................... 64
IP Address....................................... Unknown
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... 5
Client E2E version............................... No E2E support
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Foreign
Mobility Anchor IP Address....................... 10.70.0.2
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest-vlan
VLAN............................................. 4
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. guest1
AP MAC Address................................... 00:00:00:00:00:00
Client State..................................... Associated
Wireless LAN Id.................................. 2
BSSID............................................ 00:00:00:00:00:01
Channel.......................................... N/A
IP Address....................................... 10.50.10.128
Association Id................................... 0
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.50.10.26
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest
VLAN............................................. 4
Show client detail mac_addressRemote Anchor
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 32
Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined
Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive
Once an Anchor WLC failure is detected a DEAUTH is send to the client
Remote WLC will keep on monitoring the Anchor WLC
Under normal conditions round-robin fashion is used to balance clients between Anchor WLCs
Campus
Core
EtherIP
―Guest
Tunnel‖
EtherIP
―Guest
Tunnel‖
LWAPP/CAP WAP LWAPP/CAP WAP
Internet
Guest Secure Guest Secure
SiSi
SiSi SiSiSecure Secure
Wireless
VLANs
Guest VLAN 10.10.60.x/24
Management 10.10.80.3
Management
10.10.75.2
Management
10.10.76.2
F1
A1 A2
Primary Link
Redundant Link
Guest Network Redundancy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 33
Wireless Guest Access—Deployment Options Summary
EoIP
DMZ WLC
WCS
WCS
Internet
LAN LAN
Internet
LAN
Internet
Cisco Standalone APs
Cisco Unified Wireless—
No DMZ Controller
Cisco Unified Wireless—
DMZ Controller
Provisioning Portal No Yes Yes
User Login Portal No Yes Yes
Traffic SegmentationVLANs thru
NetworkVLANs thru
NetworkYes—Tunnels
or VLANs
User Policy Management No Yes Yes
Reporting No Yes Yes
Overall Functionality Low Medium High
Overall Design Complexity Medium Medium Low
Standalone No DMZ WLC DMZ WLC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 34
Deploying Secured Wired Guest Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 35
Controller software version 4.2 and above provides one unified solution for both wired and wireless guest access
Allows organizations to leverage existing wireless infrastructure to provide guest access on the LAN
Universal provisioning interface and captive portal provides ease of guest user provisioning and consistent network access
Enables the ability to leverage common guest user policies for both wired and wireless network access
Unified Wired and Wireless DeploymentWired Guest Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 36
Guest Access for Wired LAN
Wireless LAN Controllers version 4.2 and above offer Wired Guest Access
Wired Guest VLAN must be L2adjacent with WLC
Wired Guest VLAN can be fallbackVLAN in 802.1x/EAP authenticationon switch
Supported on WLC-4400, 5500series, Catalyst 3750 Wirelessand Catalyst 6500 with WiSM
Overview
Wireless
VLANs
Campus
Core
EtherIP
“Guest
Tunnel”
EtherIP
“Guest
Tunnel”
LWAPP LWAPP
Internet
SiSi
SiSi SiSiSecure Secure
Guest Secure Guest Secure
Wired Client
Layer-2
Switch
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 37
Unified Wired and WirelessGuest Access
Wired Guest ports provided in designated location and plugged into an Access Switch
The configuration on the Access switch puts these ports into wired guest – layer 2 VLAN
On a single WLAN Controller the Guest VLAN will be trunked into WLC
On a multi controller deploymentwith Auto Anchor mode the guestVLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller
Wired Guest Access
Wireless LAN
Controller
DMZ or Anchor
Wireless LAN
Controller
Cisco ASA
Firewall
Wired Guest
Isolated L2 VLAN
EoIP Tunnel
Internet
Corporate
Intranet
Wireless Guest
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 38
Five guest LANs for wired guest access are supported
Admin can create wired guest VLANs on the WLC and associate it with the guest LAN
Web-auth will be the default security on a wired guest LAN, but open and web pass-thru is also supported
No L2 security is supported, like 802.1x
Multicast and broadcast traffic will be droppedon wired guest VLANs
Wired guest access will be supported on a single guest WLC scenario or Anchor-Foreign Guest WLC scenario
Wired Guest AccessDeployment Requirements
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 39
Create a dynamic interface as guest LAN
which will be the ingress interface
DHCP server information is not required
DHCP server information is required on the egress dynamic interface
Wired Guest AccessDeployment Steps
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 40
Create wired WLAN as ―Guest LAN‖ type
Wired Guest Access Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 41
Assign the Ingress and Egress Interfaces
Ingress interface is the wired guest LAN
Egress interface could be the management or any dynamic interface
Wired Guest Access Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 42
Wireless and Wired Guest Configuration
Wireless and wired guest WLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 43
Architecture Summary
Wireless is the preferred Guest Access technology because it provides no Physical connectivity to corporate network.
Using Multiple BSSID allow for WLAN Virtualization. Each WLAN seems to come from a separateAccess Point.
Anchor Controller in Guest DMZ allow for full Path Isolation from Access Point to Guest DMZ.
Cisco ASA Firewall allow only EoIP traffic between Wireless LAN Controllers
Cisco ASA Firewall also provides advancedsecurity features for Guest control
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 44
Guest Services Policy Enforcement
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 45
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Path Isolation and Network Segmentation
UserProvisioning
UserLogin Portal
Reporting and Tracking
Guest Services and User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trails
Reporting
Components of a Guest Access SolutionPolicy Management
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 46
Several Guest SSIDs can be defined on WLCs.
Each SSID can have its own rules (ACL, wired interface, Pre-auth ACL, …)
Lobby administrators can select appropriate SSID profile depending on guest type (visitor, contractor, customer, …)
Policy EnforcementDifferentiated Guest Services per SSID
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 47
ACL can be applied per wired VLAN associated to guest SSID
ACL can be override per SSID
ACL can, in some provisioning situations, be per user or per user groups (Guests authenticated by RADIUS server)
Policy EnforcementUsing ACL for Guest Traffic
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 48
Pre-auth ACL allow for specific traffic to be forwarded evenif the guest is not web authenticated.
Pre-auth ACL can be used for allowing access toVPN services, free web services, …
Policy EnforcementUsing ACL for Guest Traffic
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 49
Specify bandwidth limitations and policies by individual user or group
Ability to allocate resources by specific job function or throughput requirements
Organization’s overall network performance is enhanced
Increased granularity and control improves network security
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP/CAPWAP LWAPP/CAPWAP
Internet
SiSi
SiSiEmp SiSi
Anchor
Controller
Guest Emp
Emp
WLC
Accounting
Contractor:
(Best Effort)
Network Admin
Contractor:
4Mbps (High Speed)
SSID = ACCT SSID = CONTRACTOR
Policy EnforcementGuest Network Bandwidth Contracts
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 50
QoS Profiles can be created per type of guests(customer, contractors, visitors, …)
Ability to allocate resources by specific job function or throughput requirements
Organization’s overall network performance is enhanced
When creating a Guest account the lobby admin will be able to use one of the defined profiles
QoS policy will applydownstream
Policy EnforcementQoS Profile
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 51
Guest Services Provisioning
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 52
Components of a Guest Access Solution
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Path Isolation and Network Segmentation
UserProvisioning
UserLogin Portal
Reporting and Tracking
Guest Services and User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trails
Reporting
Guest Access Services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 53
Requirements for Guest Provisioning
Might be performed by non IT personal
Must deliver basic features, but might also require advanced features:
Duration,
Start/End Time,
Bulk provisioning, …
Provisioning Strategies :
Lobby Ambassador
Employees
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 54
Guest Accounts are created by lobby ambassadorsat reception desks
Pros
• Easier for Employees
• Access code can be delivered
with access badges
• No identified employee sponsor
• Lobby Ambassador are often not
employees and change regularly
(tracking concern)
• When in meeting room and
internet access needed, go back to
reception
Cons
Provisioning StrategyLobby Ambassador
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 55
Guest Accounts are created by employees,using an Intranet service
Pros
• Easy tracking of guest access
sponsor (better tracking)
• Access code can be generated
when needed, and not only at
reception
• Employee can proactively create
access codes and send it by
email to visitors
• Employees need to be aware of
guest service and able to use it.
• Guest provisioning tool need to be
interconnected to enterprise
directory.
Cons
Provisioning StrategySponsor Employees
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 56
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness.
Cisco
Wireless LAN Control
Basic Provisioning
Cisco
Wireless Control System
Advanced Provisioning
Cisco
NAC Guest Server
Dedicated Provisioning
Customer Server
Customized ProvisioningIncluded in Cisco Wireless LAN Solution
Additional Cisco
Product
Customer
Development
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 57
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness.
Cisco
Wireless LAN Control
Cisco
Wireless Control System
Cisco
NAC Guest Server
Customer Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 58
Lobby Ambassador accounts can be createddirectly on Wireless LAN Controllers
Lobby Ambassadors will have limited guest feature available to create a user directly on WLC:
Create Guest User – up to 2048 entries
Set time limitation – up to 30 day
Set Guest SSID
Set QoS Profile
Guest Provisioning ServiceCisco Wireless LAN Controller
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 59
Configure the local internal database of the WLC
2048 entries can be stored in the local database per WLC
Guest usernames are deleted automaticallyafter the activity period
Campus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
SiSi
SiSi SiSiEmp Emp
Wireless
VLANs
Guest
WLC
Guest ServicesSupport on WLC with Local Database
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 60
Corporate
Network
Wireless LAN ControllerPolicy Enforcement
Guest Web Portal
GuestVisitor, Contractor, Customer
Lobby AmbassadorEmployee Sponsor
Internet
1
2
3
4
WLC Provisioning ServiceUsing Internal WLC DB
1- Lobby Ambassador create Guest Account on WLC
2- Credentials are delivered to Guest by Print or Email
3- Guest Authenticationon Guest portal
4- Traffic can go through
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 61
Guest Provisioning Service
Lobby administrator can be created in WLC directly
Create the Lobby Admin in WLC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 62
Guest Provisioning Service
Guest User List New user with Lifetime up to 30 days
Add a ―Guest‖ User on the WLC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 63
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness.
Cisco
Wireless LAN Control
Cisco
Wireless Control System
Cisco
NAC Guest Server
Customer Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 64
WCS offer specific Lobby Ambassadoraccess for Guest management only
Lobby Ambassador accounts can be created directlyon WCS, or be defined on external RADIUS/TACACS+ servers
Lobby Ambassadors on WCS are able to createguest accounts with advanced features like:
Start/End time and date, duration,
Bulk provisioning,
Set QoS Profiles,
Set access based on WLC, Access Points, or location
Guest Provisioning ServiceCisco Wireless Control System
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 65
WCS Provisioning Service
1. Lobby Ambassador create Guest Account with policies
2. Guest Account credentials& rules are pushed to WLC
3. Credentials are delivered to Guest by Print or Email with customized Logo
4. Guest Authenticationon Guest portal
5. SNMP Trap with guest login information (MAC@, IP@, …)
6. Traffic can go through
Corporate
Network
Wireless LAN ControllerPolicy Enforcement
Guest Web Portal
GuestVisitor, Contractor, Customer
WCSLobby Ambassador Portal
Guest Account Database
Monitoring & reporting`
Lobby AmbassadorEmployee Sponsor
Internet
1
2
3
4
5
6
Using Internal DB and Reporting Capabilities
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 66
User created in WCS with Lobby Ambassador (LA) privilege
Lobby Ambassador user logs into the WCS to create guest user accounts
Guest Provisioning ServiceLobby Ambassador Feature in WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 67
Associate the lobby admin with Profile and Location specific information
Guest Provisioning ServiceLobby Ambassador Feature in WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 68
Guest Provisioning ServiceAdd a Guest User with WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 69
Guest Provisioning ServicePrint/E-Mail Details of Guest User
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 70
Guest Provisioning ServiceSchedule a Guest User
Configure Controller Template > Schedule Guest User
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 71
Guest Provisioning ServiceDetails About the Guest User(s)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 72
Integrated Device Management Cisco Wireless Control System
Guest Provisioning Service SummaryController and WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 74
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness.
Cisco
Wireless LAN Control
Cisco
Wireless Control System
Cisco
NAC Guest Server
Customer Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 75
Guest Provisioning Service
Dedicated external server
Complete provisioning, accounting, reporting and billing services
Advanced feature full Sponsor and Guest user policies
Large guest account base using RADIUS
Easy Integration with Clean Access and WLC
Email & SMS notifications
Sponsor authentication through local database, LDAP or Active Directory
Cisco NAC Guest Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 76
1. IT Administrator configures NGS:
Sponsor or LA access rights
Declare Guest Anchor WLC in NGS
Configure security/policy rules
2. IT Admin configures WLCto use Cisco NGS:
Define Guest SSID
Associate NGS as RADIUS Server
Corporate
Network
Wireless LAN ControllerPolicy Enforcement
Guest Web Portal
GuestVisitor, Contractor, Customer
NAC Guest ServerLobby Ambassador Portal
Guest Account Database
Monitoring & reporting
Lobby AmbassadorEmployee Sponsor
Internet
IT AdminNetwork/Solution Mgt
1
2
Cisco NAC Guest ServerNGS Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 77
Admin portal is required to configure the device
Cisco NAC Guest ServerAdmin Interface
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 78
The sponsor account can be a local user inNGS, LDAP server or Active Directory Account
Cisco NAC Guest ServerSponsor Authentication: Local Account/AD
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 79
Username Policy1. E-mail address
2. First and last name
3. Alphabetic, numeric and special characters
Password Policy
1. Alphabetic characters
2. Numeric characters
3. Special characters
Cisco NAC Guest ServerGuest Policy: Username/Password Policy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 80
Add the WLC that performs WebAuth as a RADIUS Client in the NGS
NGS uses standard RADIUS Attribute 27 (session-timeout)
Cisco NAC Guest ServerWLC Integration: Guest Server Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 81
Sponsor will have three ways to inform guest
1. Printing the details
2. Sending the details via e-mail
3. Sending the details via SMS
Cisco NAC Guest ServerInforming Guest
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 82
1. Sponsor creates Guest Account through dedicated NGS server
2. Credentials are delivered to Guest by print, email or SMS
3. Guest Authentication on Guest portal
4. RADIUS Request from WLC to Cisco NGS Server
5. RADIUS Response with policies (session timeout, …)
6. RADIUS Accounting with session information (time, login, IP, MAC, …)
7. Traffic can go through
Corporate
Network
Wireless LAN ControllerPolicy Enforcement
Guest Web Portal
GuestVisitor, Contractor, Customer
NAC Guest ServerLobby Ambassador Portal
Guest Account Database
Monitoring & reporting
Lobby AmbassadorEmployee Sponsor
Internet
RADIUS Requests
1
2
3
4
5
6
7
RADIUS
Accounting
Cisco NAC Guest ServerGuest User Creation
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 83
Cisco NAC Guest ServerSponsor Portal: Create and Print Guest Access Credentials
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 84
Cisco NAC Guest ServerSponsor Portal: Guest Reports and Logs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 85
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness.
Cisco
Wireless LAN Control
Cisco
Wireless Control System
Cisco
NAC Guest Server
Customer Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 86
Customer or third-party partners can createtheir own provisioning service
Customized provisioning can interact withCisco Guest Solution at several levels:
At WLC level using RADIUS protocol
AT WCS level using SOAP/XML API
At NGS Level using API and XML
Guest Provisioning ServiceCustomer/Partner Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 88
Guest Access ServiceUser Provisioning
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 89
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Path Isolation and Network Segmentation
UserProvisioning
UserLogin Portal
Reporting and Tracking
Guest Services and User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trails
Reporting
Components of a Guest Access SolutionUser Provisioning
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 90
How does a wireless user connect to the network?
Associate to the access point using an SSID
For each defined SSID we can have a different authentication method (EAP type)
Guest user associates usually using Open Guest SSID
Easiest deployment, no configuration required on the client side
SSID—Service Set Identifier
Guest Access ServicesWireless Clients
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 91
Step-by-step Guest Access Service
IT Admin define Guest Policies and Employee service access policies
Lobby Ambassador or Employee Sponsor create Guest access credentials
Provisioning server configure WLC
Guest credential delivered to guest by print, email or SMS
Guest associate to open guest WiFi service, is intercepted by WLC
WLC, NGS or Clean Access push guest portal, guest provide credentials
Guest has internet access
Wireless LAN ControllerPolicy Enforcement
Guest Web Portal
Corporate NetworkWith Path Isolation
Internet
Guest ProvisioningWCS, NGS, …
Lobby AmbassadorEmployee Sponsor
GuestVisitor, Contractor, Customer
IT AdminNetwork/Solution Mgt
AAA ServerTACACS+, LDAP
1
2
3
4
5
6
7
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 93
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Path Isolation and Network Segmentation
UserProvisioning
UserLogin Portal
Reporting and Tracking
Guest Services and User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trails
Reporting
Components of a Guest Access SolutionUser Login Portal
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 94
Guest Authentication Portal is performed by the WLC
When deploying a guest DMZ, the authentication portal will be performed by the Anchor WLC in the DMZ
WLC Guest Authentication Portal support 3 modes:
Internal
Customized (Download)
External (Re-direct to external server)
Guest Authentication PortalOverview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 95
Guest Authentication PortalInternal Web Portal
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 96
Wireless guest user associates to the guest SSID
Initiates a browser connection to any website
Web login page will displayed
Campus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
SiSi
SiSi SiSiEmp Emp
Wireless
VLANs
Guest
WCS WLC
Guest Wireless
Client
Guest Authentication PortalInternal Web PortalWeb Login Page on the Client
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 97
Guest Authentication PortalExternal Web Portal
Web Portal—External Web Server on WLC
Campus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
SiSi
SiSi SiSiEmp Emp
Wireless
VLANs
Guest
WLCEternal
Web Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 98
Guest Authentication PortalExternal Web PortalConfiguring Customized WebAuth in WCS
Download a sample copy of the customized WebAuth page from WCS
Customize the WebAuth page as per your requirements
Upload the newly customized WebAuth page to the Anchor WLC
Campus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
SiSi
SiSi SiSiEmp Emp
Wireless
VLANs
Guest
WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 99
Services Edge Configuring Customized WebAuth in WCS
Upload the customized web page to the Anchor WLC
Customized WebAuth bundle can contain
22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages (in WCS 5.0 and up )
22 login successful pages (in WCS 5.0 and up)
Campus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
SiSi
SiSi SiSiEmp Emp
Wireless
VLANs
Guest
WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 100
Services Edge Sample Customized WebAuth in WCS
Sample webauth bundle with customized login.html, logout.html and loginfailure.html file
Campus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
SiSi
SiSi SiSiEmp Emp
Wireless
VLANs
Guest
WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 101
Create your own Guest Access Portal web page
Download it in the guest WLC
Configure the WLC to use ―customizable web portal‖
Guest Authentication PortalCustomizable Web Portal
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 103
Guest Services Reporting and Tracking
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 104
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Path Isolation and Network Segmentation
UserProvisioning
UserLogin Portal
Reporting and Tracking
Guest Services and User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trails
Reporting
Components of a Guest Access SolutionReporting and Tracking
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 105
Guest User Reports and Tracking
WCS Guest User reports can be used for Guest usage monitoring and tracking.
WCS is able to generate scheduled guest usage reports and save them as CSV files.
Tracked information in WLC/WCS are:
Lobby login who creates the guest account
Guest login
Start & End guest session
Guest MAC@
Guest IP@
Used WLC and Connected AP
Not tracked information in WLC/WCS are:
UDP/TCP sessions (IP destinations, UDP/TCP ports)
HTTP URLs, … any L4 information
For extended stream tracking useCisco ASA logging features
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 106
Guest User Legal Tracking
WLC sends SNMP traps for guest access reporting
WLC sends RADIUS accounting packetson guest access sessions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 107
Guest User Reports in WCS
Guest Tracking report
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 109
What We Have Covered…
What a Guest Access Service is made of
Need for a secured infrastructure to supportisolated Guest traffic. Unified Wireless is akey component of this infrastructure.
Components of the Guest Service are integratedin Cisco Unified Solution but can be complementedat several levels.
Project deployments might have to takecare of ―Reporting and Tracking‖ aspectsdepending on regions.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 110
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 112
Remote4.1.185 4.2.112 5.0.148 5.1.78 6.0.182
4.1.185
4.2.112
5.0.148
5.1.78
6.0.182
Anchor
EoIP Tunnel Combination BetweenWLC Versions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2016 113
Acronyms
VPN—Virtual Private Network
ACL—Access Control List
ACE—Access Control Entries
SSID—Service Set Identifier
MPLS—Multiprotocol Label Switching
DHCP—Dynamic Host Configuration Protocol
DNS—Dynamic Name Services
EAP—Extensible Authentication Protocol
EAPoL—EAP over LAN
AAA—Authentication, Authorization and Accounting
RADIUS—Remote Authentication Dial-In User Service
CDP—Cisco Discovery Protocol
MDA—Multi Domain Authentication
IBNS—Identity-Based Networking Services
WLAN—Wireless LAN
AP—Access Point
WLC—WLAN Controller
LWAPP—Lightweight Access Point Protocol
QoS—Quality of Service
VRF—Virtual Routing/ Forwarding
GRE—Generic Routing Encapsulation
mGRE—Multipoint GRE
IGP—Interior Gateway Protocol
EIGRP—Enhanced Interior Gateway Routing Protocol
OSPF—Open Shortest Path First
WAN—Wide Area Network
SVI—Switched Virtual Interface
EoIP—Ethernet over IP