2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Wireless Guest Access Design & Deployment
Tom Koenig
Wireless Product Manager
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Guest Networking Drivers
Guest user integration: overcoming traditional solutions (modem port or parallel networks)
Seamless support for wireless and wired clients
Restricting access to enterprise internal resources
Allowing the establishment of VPN connections with guest userscorporate networks
Centralized management and control
Authentication/logging capabilities for guests
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Access Control Path Isolation Services Edge
WAN MAN - Campus
Functions
Branch - Campus Data Center Internet Edge - Campus
Authenticate client (user, device, app) attempting to gain network access
Authorize client into a Partition (VLAN, ACL)
Deny access to unauthenticated clients
Maintain traffic partitioned over Layer 3 infrastructure
Transport traffic over isolated Layer 3 partitions
Map Layer 3 Isolated Path to VLANs in Access and Services Edge
Provide access to services:SharedDedicated
Apply policy per partition
Isolate Application environments if necessary
Network Virtualization ArchitectureA framework for providing Guest Access
VRFs
GRE MPLS
GuestSpecificFunctions
Identify wired and wireless guests
Authorize guests onto the guest ACL, VLAN or SSID
Keep Guest Traffic from reaching internal destinations
Steer guest traffic to the web-authentication appliances
Internet Access and Policies for Guests and Employees
Web-authentication, DHCP and DNS services for Guests
EoIP
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Campus
Core
Wireless
VLANs
Access Control Cisco WLAN Controller Deployments
LWAPP tunnel is a layer 2 tunnel (encapsulates original Ethernet frame)
Same LWAPP tunnel used for data traffic of different SSIDs
Control and data traffic tunneled to the controller via LWAPP: data uses UDP 12222, control uses UDP 12223
Data traffic bridged on a unique VLAN corresponding to each SSID
Traffic isolation provided by VLANs is valid up to the switch where the controller is connected
LWAPP LWAPP
WiSM WLAN Controller
SiSi
SiSiSiSi
Guest Emp Guest Emp
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Access Control End-to-End Wireless Traffic Isolation
VLAN isolation for standalone APs valid up to the first L3 hop
Standalone AP
GRE or LWAPP
GRE or LWAPP
Recommendation for controllers based deployments is to place them in a centralized location (data center or campus services block)
The Challenge
How to provide end-to-end guest traffic isolation, allowing internet access but preventing any other communications?
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Use of EoIP tunnels to logically segment and transport the guest traffic between edge and anchor controllers
Other traffic (employee for example) still locally bridged on the corresponding VLAN
No need to define the guest VLANs on the switches connected to the edge controllers
Original guests Ethernet frame maintained across LWAPP and EoIP tunnels
EoIP supported across all WLAN controllers
2006 model cant terminate EoIP connections (no anchor role)
Guest WLAN
Controller (Anchor)
Wireless
VLANs
Campus
Core
EtherIPGuest Tunnel
EtherIPGuest Tunnel
LWAPP LWAPP
Internet
SiSi
SiSi SiSiEmp Emp
Guest Emp Guest Emp
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Pros
Simple configuration
Overlay solution: no need to modify the network configuration
Cons
Supports for wireless guest clients only
Limited to WLAN controllers wireless deployments
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Services EdgeGuest Network Services
Providing network services to guest users in a centralized location
Dedicated DHCP ad DNS services still controlled by the host organization
DNS services offered by external server
DHCP services offered by external server or web-auth appliance
Separate FW dedicated to Guest
FW in routed mode: NAT/PAT to return traffic through the proper FW
FW in transparent mode: static routes required on internet router
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Web-authentication for Guest UsersTechnical Requirements
Common web-authentication system for wired and wireless clients
Deployed in a centralized fashion: authentication and authorization on a centralized in-band device
Record the activity of guest users while connected to the enterprise network
Force the acceptance of enterprise legal disclaimer before getting Internet connectivity
Used for billing purposes (in some cases)
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Controller Guest Access Components Overview
1. Back-end segmentation (mobility anchor)
Separate the guest traffic from the corporate internal traffic via EoIP tunnels
2. Lobby ambassador/host portal
Guest user creation and token generation
Web portalinternal or external
3. Customizable guest screen
Fully customizable guest login screen
4. Back-end authentication
Local user database
External AAA authentication capable Wireless
VLANs
Campus
Core
LWAPP LWAPP
SiSi
SiSi SiSi
WCS
EtherIPGuest Tunnel
Emp Emp
Internet
Guest Emp Guest Emp
EtherIPGuest Tunnel
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
New Guest Features in WLAN Controller
Lobby Ambassador account role in WCS for guest user credential creation, monitoring, and deletion
Guest user IDs and passwords auto-generated or manually defined
Guest user account manageable via SNMP
Fully customizable login screen downloadable to controller
Image file will replace the original web authentication page on controller
TFTP download of 1MB of tar file for the web page
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Lobby Ambassador Feature in WCS
Lobby Ambassador (LA) role created which only allows access to the Lobby Administrator screen in WCS
Runs on controller and WCS
Traps sent to notify when guest user account expires
WCS
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Add a Guest User and Apply to Controllers
Apply to ControllerSelect the Controller
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Guest User Now Applied to Controller
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Create the Lobby Admin in WLC
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
Lobby Administrator Can Be Created in WLC DirectlyWLC
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Add a Guest User on the WLC
Guest User List New
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
Web PortalInternal to WLC
Internal Web Login Page in WLC
WLC
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Web PortalExternal Web Server
External
Web
Server
Web Portal in an External Web Server
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
WLC
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
Web Login Page on the Client
Wireless guest user associates to the guest SSID
Initiates a browser connection to any website
Web login page will displayed
Guest Wireless
Client
WCS
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Custom Web Authentication
Custom web authentication page including the image file will replace the original Web Authentication page on a controller
One feature will be active at a time
The controller will allow downloading up to 1 MB of a tar file containing the web pages and image files via TFTP
The tar file will be untarred into the controllers file system
The web auth login page name will be pre-defined as login.html
The user will be allowed to preview the customized web authentication pages through the Controller Web UI
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
Configuring Customized WebAuth in WCS
WLCDownload the Sample File and Upload a Customized Web Page in WCS
WCS
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Guest User DatabaseInternal
WLC
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
Use the Internal User Database of WLC
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Guest User DatabaseExternal RADIUS
RADIUS
Server
Guest Emp
Wireless
VLANs
Campus
Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp SiSi
Guest
Guest Emp
Emp
WLC
External RADIUS Can Be Used to Store Guest Usernames
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
External In-band Web Auth Appliance (CCA)Solution components: CAS (Clean Access Server) & CAM (Clean Access Manager) running on Linux Servers
Performance: 1 Gbps throughput with up to 2500 concurrent user authentications
Integration : with Kerberos, LDAP, RADIUS, Active Directory, S/Ident, and others
HA: support 2 nodes failover cluster or n+1 loadbalancing
CAS deployed in L3 In-Band Mode
Support for network scan (Nessus) of guest machines
Support for complete posture assessment (agent required on clients)
Guest Access Methods:
Authenticationless - via Single Guest Button or Email/Name/Location
Authentication - via GuestNet or Visitornetwork
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25