Brkagg-2016 c2 Rev4

Designing Guest Access with the Cisco Unified Wireless Network
BRKAGG-2016 Mike Adler WNBU TME miadler@cisco.com
Presentation_ID
2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
What You Will Learn

What are the requirements of a Guest Access Service
How to design and implement a secured Guest Access Service using Cisco Unified Wireless Network The authentication alternatives to control Guest Access (Web portal authentication) Solutions to provision the guest accounts Aspects of Reporting and Monitoring
BRKAGG-2016
Cisco Public
Agenda
Introduction
Guest Access Service Requirements Deploying Secured Wireless Network supporting Wireless and Wired Guest Access
Guest Policy Enforcement

Guest Access Provisioning Guest Authentication Portal
Guest Life Cycle Management and Reporting
BRKAGG-2016
Cisco Public
Drivers for Guest Network Access

Providing a Positive Visitor Experience Visitor Access for VPN Internet Access for Customers Contractor Secured Internal Network Access On-Site Vendor Demos Segmenting Visitors from Subsidiaries
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Balancing the Needs of Guest Users and IT Departments
Streamlining IT Management and Control
Network Integrity and Security
Guest Access
Customized Access
Simplified Network Design
Cost-Effective Deployment and Operations

4
Types of Network Users

Corporate Employees
Need internal network access
Can be role based to allow granular access if needs require
Contractors/ Consultants
Need restricted internal access
Printers File shares
Guests Users
Internet access only
No need to access internal systems
Specific applications
Device support
Segment access completely
Full Access
BRKAGG-2016
Cisco Guest Services Give You Control

2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Internet Only
6
Requirements for Secure Guest Access

Technical
No access until authorized Guest traffic should be segregated from the internal network Web-based authentication Full auditing of location, MAC, IP address, username Overlay onto existing enterprise network Bandwidth and QoS management No laptop reconfiguration, no client software required Plug & Play Splash screens and web content can differ by location Easy administration by non-IT staff Guest network must be free or cost-effective and non-disruptive
Usability

Monitoring
Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted Logging and Monitoring Must not require guest desktop software or configuration
Deploying Secured Wireless and Wired Network for Guest Access
BRKAGG-2016
Cisco Public
Functional Components of a Guest Access Solution

Path Isolation and Network Segmentation Guest Services and User Policy Management User Provisioning
Tunnels or VLANs
IT Admin Functions Differentiated

access by user
Guest
Employee Function
Guest provisioning web portal
User Login Portal
Guest User Function IT Admin Function Reporting

Cisco Public
Guest user intercept web auth portal Audit trails
Reporting and Tracking

BRKAGG-2016
Access Control
Standalone AP Deployments
Use of a 802.1Q trunk for switch to AP connection to carry all the defined VLANs (one VLAN per SSID) Isolation of guest traffic in the L2 domain using a dedicated guest VLAN associated to the guest SSID Traffic isolation provided by VLANs is valid up to the first L3 hop device
Distribution layer (Multilayer Campus design) Access layer (Routed Access Campus design)
Guest
Si
Campus Core
Si
Emp
Guest
Emp
Wireless VLANs
Guest Emp
SSIDs
Guest Emp
SSIDs
10
BRKAGG-2016
Cisco Public
Guest Access Control

Cisco WLAN Controller Deployments
LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)
WiSM WLAN Controller
Wireless VLANs
Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs

Control and data traffic tunneled to the controller via LWAPP/CAPWAP: data uses UDP 12222/5247 control uses UDP 12223/5246
Si
LWAPP/CAPWAP
Campus Core
Si Si
LWAPP/CAPWAP
Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID
Traffic isolation provided by VLANs is valid up to the switch where the controller is connected
LWAPPLightweight Access Point Protocol CAPWAP - Control And Provisioning of Wireless Access Points
Guest Emp
Guest Emp
11

WLAN Controller Deployments
Access Layer Switch
vlan 2 name AP_Mgmt ! interface FastEthernet0/1 description link to AP switchport access vlan 2 switchport mode access
Cisco Catalyst Switch (Connected to WLAN Controller)

vlan 3 name Employee_VLAN ! vlan 4 name Guest_VLAN ! interface Vlan3 description Employee_VLAN ip address 10.10.3.1 255.255.255.0 ! interface Vlan4 description Guest_VLAN ip address 10.10.4.1 255.255.255.0 ! interface GigabitEthernet1/0/1 description Trunk Port to Cisco WLC switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport trunk allowed vlan 2-4 switchport mode trunk no shutdown
12
No Trunk Between AP and Access Layer Switch, Only AP Mgmt VLAN Defined
SVIs Corresponding to Each SSID Are Defined Here


WLAN Controller Deployments
Create the employee and guest VLAN in the controller
BRKAGG-2016
Cisco Public
13

WLAN Controller Deployments Map the employee/guest WLAN in the controller to the respective employee/guest VLAN
BRKAGG-2016
Cisco Public
14
Components of a Guest Access Solution

Path Isolation
Path Isolation and Network Segmentation Guest Services and User Policy Management User Provisioning
Tunnels or VLANs

access by user
Guest
Employee Function
Guest provisioning web portal Guest user intercept web auth portal Audit trails
User Login Portal

Cisco Public
BRKAGG-2016
15
Access Control
End-to-End Wireless Traffic Isolation
LWAPP/CAPWAP AP
Standalone AP
The fact
VLAN isolation for standalone APs valid up to the first L3 hop Traffic isolation achieved via LWAPP/CAPWAP valid from the AP to the WLAN Controller (centralized deployment is recommended)
LWAPP/CAPWAP
The challenge
How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?
LWAPP/CAPWAP
LWAPP/CAPWAP AP
16
Path Isolation
Why Do We Need It for Guest Access?
Extend traffic logical isolation end-to-end over L3 network domain Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, etc.)
Securely transport the guest traffic across the internal network infrastructure
LWAPP/CAP WAP
LWAPP/CAP WAP
BRKAGG-2016
Cisco Public
17
Path Isolation
WLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guests Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
Internet
Guest WLAN Controller (Anchor)
EoIP Guest Tunnel
Si
Campus Core
Si Emp Si Emp
EoIP Guest Tunnel
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
18
Path Isolation
WLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guests Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
Internet
DMZ or Anchor Wireless Controller

Cisco ASA Firewall EoIP Guest Tunnel Wireless LAN Controller LWAPP/CAPWAP
Guest
Guest 19
Guest Path Isolation

Building the EoIP Tunnel
Specify a mobility group for each WLC Open ports for:
Inter-Controller Tunneled Client Data Inter-Controller Control Traffic
Configure the mobility groups and add the MAC-address and IP address of the remote WLC Create identical WLANs on the Remote and Anchor controllers Create the Mobility Anchor for the Guest WLAN Modify the timers in the WLCs Check the status of the Mobility Anchors for the WLAN Pros Simple configuration Overlay solution: no need to modify the network configuration
Cons Support for wireless and wired (layer2 adjacent) guest clients only Limited to WLAN Controllers wireless deployments
20

WLAN Controller Deployments with EoIP Tunnel Remote Controller Configuration
Each WLC is part of a mobility group
BRKAGG-2016
Cisco Public
21

WLAN Controller Deployments with EoIP Tunnel Anchor and Remote Controller Configuration
Configure the mobility groups and add the MAC-address and IP address of the remote WLCs
Anchor
Remote
22

WLAN Controller Deployments with EoIP Tunnel Anchor and Remote Controller Configuration
Configure guest VLANs on the Remote and Anchor controllers
Remote
Anchor
23

WLAN Controller Deployments with EoIP Tunnel Remote Controller Configuration
Create the mobility anchor for the guest WLAN on Remote WLCs
BRKAGG-2016
Cisco Public
24

WLAN Controller Deployments with EoIP Tunnel Anchor Controller Configuration
Create the Mobility Anchor for the guest WLAN on Anchor WLC
BRKAGG-2016
Cisco Public
25
Path Isolation
WLAN Controller Deployments with EoIP Tunnel Anchor Controller
Modify the timers on the Anchor WLCs
Check the status of the mobility anchors for the WLAN
BRKAGG-2016
Cisco Public
26

Firewall Ports and Protocols
Open ports in both directions for:
EoIP packets IP protocol 97 Mobility UDP Port 16666 (non-secured) or 16667 (secured IPSec tunnel) Inter-Controller CAPWAP Data/Control Traffic Inter-Controller LWAPP Data/Control Traffic UDP 5247/5246 UDP 12222/12223
Must be Open! Do NOT Open!
Optional management/operational protocols:

SSH/Telnet TCP Port 22/23
TFTP
NTP SNMP HTTPS/HTTP
UDP Port 69
UDP Port 123 UDP Ports 161 (gets and sets) and 162 (traps) TCP Port 443/80
Syslog
RADIUS Auth/Account
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved.
TCP Port 514

UDP Port 1812 and 1813
Cisco Public
27
Path Isolation
Sample Firewall Configuration
interface Ethernet0/1 nameif inside security-level 100 ip address 10.50.10.26 255.255.255.0 ! interface Ethernet0/2 nameif dmz security-level 50 ip address 10.10.51.1 255.255.255.0 ! access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666 access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667 access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2 ! global (dmz) 1 interface nat (inside) 1 10.70.0.0 255.255.255.0 static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255 access-group DMZ in interface dmz
28
Show Commands
Show Mobility Summary
BRKAGG-2016
Cisco Public
29
Show Commands
Show Mobility Anchor Show Mobility Statistics
BRKAGG-2016
Cisco Public
30
Show CommandsRemote and Anchor WLC

Remote
Show client detail mac_address
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b

Client MAC Address............................... 00:40:96:ad:0d:1b Client Username ................................. N/A AP MAC Address................................... 00:14:1b:59:3f:10 Client State..................................... Associated Wireless LAN Id.................................. 1 BSSID............................................ 00:14:1b:59:3f:1f Channel.......................................... 64 IP Address....................................... Unknown Association Id................................... 1
Anchor
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b Client MAC Address............................... 00:40:96:ad:0d:1b Client Username ................................. guest1 AP MAC Address................................... 00:00:00:00:00:00
Client State..................................... Associated

Wireless LAN Id.................................. 2 BSSID............................................ 00:00:00:00:00:01 Channel.......................................... N/A IP Address....................................... 10.50.10.128 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 0 Status Code...................................... 0 Session Timeout.................................. 0 Mirroring........................................ Disabled QoS Level........................................ Silver Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.50.10.26 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ guest VLAN............................................. 4
Authentication Algorithm......................... Open System

Reason Code...................................... 0 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... 5 Client E2E version............................... No E2E support Mirroring........................................ Disabled QoS Level........................................ Silver Mobility State................................... Export Foreign Mobility Anchor IP Address....................... 10.70.0.2 Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown
Interface........................................ guest-vlan
VLAN............................................. 4
31
Guest Network Redundancy

A1 Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive Once an Anchor WLC failure is detected a DEAUTH is send to the client Remote WLC will keep on monitoring the Anchor WLC Under normal conditions roundrobin fashion is used to balance clients between Anchor WLCs
Primary Link Redundant Link
A2
Management 10.10.76.2
Internet
Management 10.10.75.2
EtherIP Guest Tunnel
Si
Campus Core
Si Secure Si Secure
F1
Guest VLAN 10.10.60.x/24 LWAPP/CAP WAP
LWAPP/CAP WAP Management 10.10.80.3
Wireless VLANs
Guest Secure
Guest Secure
32
Wireless Guest Access

Deployment Options Summary
Internet Internet
WCS
Internet
DMZ WLC
LAN
LAN
LAN
EoIP
WCS
Standalone Cisco Standalone APs

Provisioning Portal User Login Portal Traffic Segmentation User Policy Management Reporting Overall Functionality Overall Design Complexity
No DMZ WLC Cisco Unified

Wireless No DMZ Controller
DMZ WLC Cisco Unified Wireless DMZ Controller Yes Yes
No No
Yes Yes
VLANs thru Network

No No Low Medium
Cisco Public
VLANs thru Network

Yes Yes Medium Medium
YesTunnels or VLANs
Yes Yes High Low
33
Deploying Secured Wired Guest Access
BRKAGG-2016
Cisco Public
34
Unified Wired and Wireless Deployment

Wired Guest Access Controller software version 4.2 and above provides one unified solution for both wired and wireless guest access Allows organizations to leverage existing wireless infrastructure to provide guest access on the LAN Universal provisioning interface and captive portal provides ease of guest user provisioning and consistent network access
Enables the ability to leverage common guest user policies for both wired and wireless network access
BRKAGG-2016
Cisco Public
35
Guest Access for Wired LAN

Overview
Wireless LAN Controllers version 4.2 and above offer Wired Guest Access
Internet EtherIP Guest Tunnel
Wired Guest VLAN must be L2 adjacent with WLC

Wired Guest VLAN can be fallback VLAN in 802.1x/EAP authentication on switch Supported on WLC-4400, 5500 series, Catalyst 3750 Wireless and Catalyst 6500 with WiSM
Si
Campus Core Secure Si

Si Secure
Layer-2 Switch
LWAPP Wired Client
LWAPP
Wireless VLANs Guest Secure

36
Guest Secure
Unified Wired and Wireless Guest Access

Wired Guest Access
Wired Guest ports provided in designated location and plugged into an Access Switch The configuration on the Access switch puts these ports into wired guest layer 2 VLAN On a single WLAN Controller the Guest VLAN will be trunked into WLC On a multi controller deployment with Auto Anchor mode the guest VLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller
Wired Guest Cisco ASA Firewall EoIP Tunnel
Internet
DMZ or Anchor Wireless LAN Controller
Wireless LAN Controller Isolated L2 VLAN
Corporate Intranet
Wireless Guest
BRKAGG-2016
Cisco Public
37
Wired Guest Access

Deployment Requirements Five guest LANs for wired guest access are supported Admin can create wired guest VLANs on the WLC and associate it with the guest LAN Web-auth will be the default security on a wired guest LAN, but open and web pass-thru is also supported No L2 security is supported, like 802.1x Multicast and broadcast traffic will be dropped on wired guest VLANs Wired guest access will be supported on a single guest WLC scenario or Anchor-Foreign Guest WLC scenario
38
BRKAGG-2016
Cisco Public
Wired Guest Access

Deployment Steps Create a dynamic interface as guest LAN
which will be the ingress interface DHCP server information is not required DHCP server information is required on the egress dynamic interface
BRKAGG-2016
Cisco Public
39
Wired Guest Access Configuration

Create wired WLAN as Guest LAN type
BRKAGG-2016
Cisco Public
40
Wired Guest Access Configuration

Assign the Ingress and Egress Interfaces Ingress interface is the wired guest LAN Egress interface could be the management or any dynamic interface
BRKAGG-2016
Cisco Public
41
Wireless and Wired Guest Configuration

Wireless and wired guest WLAN
BRKAGG-2016
Cisco Public
42
Architecture Summary
Wireless is the preferred Guest Access technology because it provides no Physical connectivity to corporate network.
Using Multiple BSSID allow for WLAN Virtualization. Each WLAN seems to come from a separate Access Point.
Anchor Controller in Guest DMZ allow for full Path Isolation from Access Point to Guest DMZ. Cisco ASA Firewall allow only EoIP traffic between Wireless LAN Controllers Cisco ASA Firewall also provides advanced security features for Guest control
43
Guest Services Policy Enforcement
BRKAGG-2016
Cisco Public
44

Policy Management
Path Isolation and Network Segmentation Guest Services and User Policy Management
Tunnels or VLANs

access by user
Guest
User Provisioning
Employee Function
Guest provisioning web portal
User Login Portal
Guest User Function

IT Admin Function Reporting
Cisco Public
Guest user intercept web auth portal

Audit trails

BRKAGG-2016
45
Policy Enforcement
Differentiated Guest Services per SSID
Several Guest SSIDs can be defined on WLCs. Each SSID can have its own rules (ACL, wired interface, Pre-auth ACL, )
Lobby administrators can select appropriate SSID profile depending on guest type (visitor, contractor, customer, )
BRKAGG-2016
Cisco Public
46
Policy Enforcement
Using ACL for Guest Traffic
ACL can be applied per wired VLAN associated to guest SSID
ACL can be override per SSID ACL can, in some provisioning situations, be per user or per user groups (Guests authenticated by RADIUS server)
BRKAGG-2016
Cisco Public
47
Policy Enforcement
Using ACL for Guest Traffic
Pre-auth ACL allow for specific traffic to be forwarded even if the guest is not web authenticated.
Pre-auth ACL can be used for allowing access to VPN services, free web services,
BRKAGG-2016
Cisco Public
48
Policy Enforcement
Guest Network Bandwidth Contracts
Internet WLC
Anchor Controller
Si
Campus Core
Si Emp Si Emp
Specify bandwidth limitations and policies by individual user or group Ability to allocate resources by specific job function or throughput requirements Organizations overall network performance is enhanced
LWAPP/CAPWAP
LWAPP/CAPWAP
Wireless VLANs Guest Emp Guest Emp
SSID = ACCT
SSID = CONTRACTOR
Accounting Contractor: (Best Effort)

BRKAGG-2016
Network Admin Contractor: 4Mbps (High Speed)

Cisco Public
Increased granularity and control improves network security

49
Policy Enforcement
QoS Profile
QoS Profiles can be created per type of guests (customer, contractors, visitors, )
Ability to allocate resources by specific job function or throughput requirements Organizations overall network performance is enhanced When creating a Guest account the lobby admin will be able to use one of the defined profiles QoS policy will apply downstream
BRKAGG-2016
Cisco Public
50
Guest Services Provisioning
BRKAGG-2016
Cisco Public
51

Guest Access Services
Tunnels or VLANs

access by user
Guest
User Provisioning
Employee Function
User Login Portal

Cisco Public

BRKAGG-2016
52
Requirements for Guest Provisioning

Might be performed by non IT personal
Must deliver basic features, but might also require advanced features:
Duration,
Start/End Time,
Bulk provisioning,
Provisioning Strategies :
Lobby Ambassador Employees
BRKAGG-2016
Cisco Public
53
Provisioning Strategy
Lobby Ambassador Guest Accounts are created by lobby ambassadors at reception desks
Pros
Easier for Employees
Cons
No identified employee sponsor Lobby Ambassador are often not employees and change regularly (tracking concern) When in meeting room and internet access needed, go back to reception
Access code can be delivered with access badges
BRKAGG-2016
Cisco Public
54
Provisioning Strategy
Sponsor Employees Guest Accounts are created by employees, using an Intranet service
Pros
Easy tracking of guest access sponsor (better tracking) Access code can be generated when needed, and not only at reception Employee can proactively create access codes and send it by email to visitors
Cons
Employees need to be aware of guest service and able to use it. Guest provisioning tool need to be interconnected to enterprise directory.
55
Multiple Guest Provisioning Services

Cisco Guest Access Solution support several provisioning tools, with different feature richness.
Customer Server
Included in Cisco Wireless LAN Solution Cisco
NAC Guest Server
Customized Provisioning
Cisco Dedicated Provisioning Wireless Control System

Advanced Provisioning Cisco Wireless LAN Control Basic Provisioning Customer Development Additional Cisco Product
56

Customer Server Cisco NAC Guest Server Cisco Wireless Control System Cisco Wireless LAN Control
BRKAGG-2016
Cisco Public
57
Guest Provisioning Service

Cisco Wireless LAN Controller Lobby Ambassador accounts can be created directly on Wireless LAN Controllers Lobby Ambassadors will have limited guest feature available to create a user directly on WLC:
Create Guest User up to 2048 entries Set time limitation up to 30 day Set Guest SSID Set QoS Profile
BRKAGG-2016
Cisco Public
58
Guest Services
Support on WLC with Local Database
Configure the local internal database of the WLC 2048 entries can be stored in the local database per WLC
Internet
Guest usernames are deleted automatically after the activity period

Si Emp
WLC
Guest
Si
Campus Core
Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
59
WLC Provisioning Service

Using Internal WLC DB 1- Lobby Ambassador create Guest Account on WLC 2- Credentials are delivered to Guest by Print or Email
1 Lobby Ambassador
Employee Sponsor
3- Guest Authentication on Guest portal

4- Traffic can go through
2 4
Wireless LAN Controller

Policy Enforcement Guest Web Portal Internet
Corporate Network
Guest
Visitor, Contractor, Customer
60

Create the Lobby Admin in WLC
Lobby administrator can be created in WLC directly
BRKAGG-2016
Cisco Public
61

Add a Guest User on the WLC
Guest User List New user with Lifetime up to 30 days
BRKAGG-2016
Cisco Public
62

BRKAGG-2016
Cisco Public
63

Cisco Wireless Control System WCS offer specific Lobby Ambassador access for Guest management only Lobby Ambassador accounts can be created directly on WCS, or be defined on external RADIUS/TACACS+ servers Lobby Ambassadors on WCS are able to create guest accounts with advanced features like:
Start/End time and date, duration,
Bulk provisioning,
Set QoS Profiles, Set access based on WLC, Access Points, or location
64
WCS Provisioning Service

Using Internal DB and Reporting Capabilities
1. Lobby Ambassador create Guest Account with policies
WCS
Lobby Ambassador Portal Guest Account Database Monitoring & reporting`
Lobby Ambassador
Employee Sponsor
2. Guest Account credentials & rules are pushed to WLC

3. Credentials are delivered to Guest by Print or Email with customized Logo 4. Guest Authentication on Guest portal 5. SNMP Trap with guest login information (MAC@, IP@, )
2 Wireless LAN Controller

Policy Enforcement Guest Web Portal
5
Internet
6
Corporate Network
6. Traffic can go through

Guest
65

Lobby Ambassador Feature in WCS
User created in WCS with Lobby Ambassador (LA) privilege
Lobby Ambassador user logs into the WCS to create guest user accounts
BRKAGG-2016
Cisco Public
66

Lobby Ambassador Feature in WCS
Associate the lobby admin with Profile and Location specific information
BRKAGG-2016
Cisco Public
67

Add a Guest User with WCS
BRKAGG-2016
Cisco Public
68

Print/E-Mail Details of Guest User
BRKAGG-2016
Cisco Public
69

Schedule a Guest User
Configure Controller Template > Schedule Guest User
BRKAGG-2016
Cisco Public
70

Details About the Guest User(s)
BRKAGG-2016
Cisco Public
71
Guest Provisioning Service Summary

Controller and WCS
Integrated Device Management Cisco Wireless Control System
BRKAGG-2016
Cisco Public
72

BRKAGG-2016
Cisco Public
74

Cisco NAC Guest Server Dedicated external server Complete provisioning, accounting, reporting and billing services Advanced feature full Sponsor and Guest user policies
Large guest account base using RADIUS

Easy Integration with Clean Access and WLC Email & SMS notifications
Sponsor authentication through local database, LDAP or Active Directory
BRKAGG-2016
Cisco Public
75
Cisco NAC Guest Server

NGS Configuration 1. IT Administrator configures NGS:
Sponsor or LA access rights
Declare Guest Anchor WLC in NGS Configure security/policy rules
2 NAC Guest Server
Lobby Ambassador Portal Guest Account Database Monitoring & reporting
IT Admin
Network/Solution Mgt
Lobby Ambassador
Employee Sponsor
2. IT Admin configures WLC to use Cisco NGS:

Define Guest SSID
Policy Enforcement Guest Web Portal Internet Corporate Network
Associate NGS as RADIUS Server

Guest
76

Admin Interface
Admin portal is required to configure the device
BRKAGG-2016
Cisco Public
77

Sponsor Authentication: Local Account/AD The sponsor account can be a local user in NGS, LDAP server or Active Directory Account
BRKAGG-2016
Cisco Public
78

Guest Policy: Username/Password Policy
Username Policy
1. E-mail address 2. First and last name 3. Alphabetic, numeric and special characters
Password Policy
1. Alphabetic characters 2. Numeric characters 3. Special characters
BRKAGG-2016
Cisco Public
79

WLC Integration: Guest Server Configuration Add the WLC that performs WebAuth as a RADIUS Client in the NGS NGS uses standard RADIUS Attribute 27 (session-timeout)
BRKAGG-2016
Cisco Public
80

Informing Guest Sponsor will have three ways to inform guest
1. Printing the details 2. Sending the details via e-mail 3. Sending the details via SMS
BRKAGG-2016
Cisco Public
81

Guest User Creation
1. Sponsor creates Guest Account through dedicated NGS server 2. Credentials are delivered to Guest by print, email or SMS 3. Guest Authentication on Guest portal 4. RADIUS Request from WLC to Cisco NGS Server 5. RADIUS Response with policies (session timeout, ) 6. RADIUS Accounting with session information (time, login, IP, MAC, ) 7. Traffic can go through
2
Lobby Ambassador
Employee Sponsor
NAC Guest Server

Lobby Ambassador Portal Guest Account Database Monitoring & reporting
5
RADIUS Accounting
RADIUS Requests
Wireless LAN Controller 4 Guest Web Portal

Policy Enforcement
6
Internet
7
Corporate Network
Guest
82
Sponsor Portal: Create and Print Guest Access Credentials
BRKAGG-2016
Cisco Public
83

Sponsor Portal: Guest Reports and Logs
BRKAGG-2016
Cisco Public
84

BRKAGG-2016
Cisco Public
85

Customer/Partner Server Customer or third-party partners can create their own provisioning service Customized provisioning can interact with Cisco Guest Solution at several levels:
At WLC level using RADIUS protocol AT WCS level using SOAP/XML API At NGS Level using API and XML
BRKAGG-2016
Cisco Public
86
Guest Access Service User Provisioning
BRKAGG-2016
Cisco Public
88

User Provisioning
Tunnels or VLANs

access by user
Guest
User Provisioning
Employee Function
User Login Portal
Guest User Function

BRKAGG-2016
IT Admin Function Reporting

Cisco Public
89
Guest Access Services

Wireless Clients
How does a wireless user connect to the network?
Associate to the access point using an SSID For each defined SSID we can have a different authentication method (EAP type)
Guest user associates usually using Open Guest SSID

Easiest deployment, no configuration required on the client side
SSIDService Set Identifier

90
Step-by-step Guest Access Service

7
IT Admin define Guest Policies and Employee service access policies Lobby Ambassador or Employee Sponsor create Guest access credentials Provisioning server configure WLC Guest credential delivered to guest by print, email or SMS Guest associate to open guest WiFi service, is intercepted by WLC WLC, NGS or Clean Access push guest portal, guest provide credentials Guest has internet access
Internet
AAA Server
TACACS+, LDAP
1 IT Admin
Network/Solution Mgt

Policy Enforcement Guest Web Portal
3 5
Guest Provisioning
WCS, NGS,
Corporate Network
With Path Isolation
4 Lobby Ambassador
Employee Sponsor
Guest
Cisco Public
91
User Login Portal
BRKAGG-2016
Cisco Public
92

User Login Portal
Tunnels or VLANs

access by user
Guest
User Provisioning
Employee Function
User Login Portal

Cisco Public
BRKAGG-2016
93
Guest Authentication Portal

Overview Guest Authentication Portal is performed by the WLC When deploying a guest DMZ, the authentication portal will be performed by the Anchor WLC in the DMZ WLC Guest Authentication Portal support 3 modes:
Internal
Customized (Download) External (Re-direct to external server)
BRKAGG-2016
Cisco Public
94

Internal Web Portal
BRKAGG-2016
Cisco Public
95
Guest Authentication Portal Internal Web Portal

Web Login Page on the Client
Wireless guest user associates to the guest SSID Initiates a browser connection to any website Web login page will displayed
WCS Internet WLC
Guest
Si
Campus Core
Si Emp Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
Guest Wireless Client
BRKAGG-2016
Cisco Public
96
Guest Authentication Portal External Web Portal

Internet Eternal Web Server WLC
Web PortalExternal Web Server on WLC

Si
Guest
Campus Core
Si Emp Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
97
Guest Authentication Portal External Web Portal

Configuring Customized WebAuth in WCS Download a sample copy of the customized WebAuth page from WCS
WCS Internet
Guest
Si
Campus Core
Si Emp Si Emp
Customize the WebAuth page as per your requirements

Upload the newly customized WebAuth page to the Anchor WLC
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
98
Services Edge
Configuring Customized WebAuth in WCS
Upload the customized web page to the Anchor WLC Customized WebAuth bundle can contain
22 login pages (16 WLANs , 5 Wired LANs and 1 Global) 22 login failure pages (in WCS 5.0 and up ) 22 login successful pages (in WCS 5.0 and up)
LWAPP LWAPP WCS Internet
Guest
Si
Campus Core
Si Emp Si Emp
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
99
Services Edge
Sample Customized WebAuth in WCS
WCS Internet
Sample webauth bundle with customized login.html, logout.html and loginfailure.html file
Si Emp
Guest
Si
Campus Core
Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
100

Customizable Web Portal Create your own Guest Access Portal web page Download it in the guest WLC Configure the WLC to use customizable web portal
BRKAGG-2016
Cisco Public
101
Guest Services Reporting and Tracking
BRKAGG-2016
Cisco Public
103

Tunnels or VLANs

access by user
Guest
User Provisioning
Employee Function
User Login Portal

Cisco Public
BRKAGG-2016
104
Guest User Reports and Tracking

WCS Guest User reports can be used for Guest usage monitoring and tracking.
WCS is able to generate scheduled guest usage reports and save them as CSV files. Tracked information in WLC/WCS are:
Lobby login who creates the guest account
Guest login
Start & End guest session Guest MAC@ Guest IP@ Used WLC and Connected AP
Not tracked information in WLC/WCS are:

UDP/TCP sessions (IP destinations, UDP/TCP ports) HTTP URLs, any L4 information
For extended stream tracking use Cisco ASA logging features
BRKAGG-2016
Cisco Public
105
Guest User Legal Tracking

WLC sends SNMP traps for guest access reporting
WLC sends RADIUS accounting packets on guest access sessions
BRKAGG-2016
Cisco Public
106
Guest User Reports in WCS

Guest Tracking report
BRKAGG-2016
Cisco Public
107
Summary
BRKAGG-2016
Cisco Public
108
What We Have Covered

What a Guest Access Service is made of
Need for a secured infrastructure to support isolated Guest traffic. Unified Wireless is a key component of this infrastructure.
Components of the Guest Service are integrated in Cisco Unified Solution but can be complemented at several levels.
Project deployments might have to take care of Reporting and Tracking aspects depending on regions.
BRKAGG-2016
Cisco Public
109
Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
110
BRKAGG-2016
Cisco Public
BRKAGG-2016
Cisco Public
111
EoIP Tunnel Combination Between WLC Versions

Anchor
Remote 4.1.185 4.1.185 4.2.112 5.0.148 5.1.78 6.0.182
4.2.112
5.0.148
5.1.78
Cisco Public
112
6.0.182
Acronyms
VPNVirtual Private Network WLANWireless LAN
ACLAccess Control List ACEAccess Control Entries

SSIDService Set Identifier MPLSMultiprotocol Label Switching DHCPDynamic Host Configuration Protocol DNSDynamic Name Services EAPExtensible Authentication Protocol EAPoLEAP over LAN AAAAuthentication, Authorization and Accounting RADIUSRemote Authentication Dial-In User Service CDPCisco Discovery Protocol MDAMulti Domain Authentication IBNSIdentity-Based Networking Services
APAccess Point
WLCWLAN Controller LWAPPLightweight Access Point Protocol QoSQuality of Service VRFVirtual Routing/ Forwarding GREGeneric Routing Encapsulation mGREMultipoint GRE IGPInterior Gateway Protocol EIGRPEnhanced Interior Gateway Routing Protocol OSPFOpen Shortest Path First WANWide Area Network SVISwitched Virtual Interface EoIPEthernet over IP
113

Brkagg-2016 c2 Rev4

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Brkagg-2016 c2 Rev4

Hochgeladen von

Copyright:

Verfügbare Formate

Designing Guest Access with the Cisco Unified Wireless Network

BRKAGG-2016 Mike Adler WNBU TME miadler@cisco.com

2009 Cisco Systems, Inc. All rights reserved.

What You Will Learn

2009 Cisco Systems, Inc. All rights reserved.

Guest Policy Enforcement

Guest Life Cycle Management and Reporting

2009 Cisco Systems, Inc. All rights reserved.

Drivers for Guest Network Access

Balancing the Needs of Guest Users and IT Departments

Streamlining IT Management and Control

Network Integrity and Security

Simplified Network Design

Cost-Effective Deployment and Operations

Types of Network Users

Segment access completely

Cisco Guest Services Give You Control

Requirements for Secure Guest Access

Deploying Secured Wireless and Wired Network for Guest Access

2009 Cisco Systems, Inc. All rights reserved.

Functional Components of a Guest Access Solution

IT Admin Functions Differentiated

Guest provisioning web portal

User Login Portal

Guest User Function IT Admin Function Reporting

Guest user intercept web auth portal Audit trails

Reporting and Tracking

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

Guest Access Control

Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs

Guest Access Control

Cisco Catalyst Switch (Connected to WLAN Controller)

SVIs Corresponding to Each SSID Are Defined Here

Guest Access Control

Create the employee and guest VLAN in the controller

2009 Cisco Systems, Inc. All rights reserved.

Guest Access Control

2009 Cisco Systems, Inc. All rights reserved.

Components of a Guest Access Solution

IT Admin Functions Differentiated

User Login Portal

Guest User Function IT Admin Function Reporting

Reporting and Tracking

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

Guest WLAN Controller (Anchor)

EoIP Guest Tunnel

EoIP Guest Tunnel

DMZ or Anchor Wireless Controller

Guest Path Isolation

Guest Path Isolation

Each WLC is part of a mobility group

2009 Cisco Systems, Inc. All rights reserved.

Guest Path Isolation

Guest Path Isolation

Guest Path Isolation

2009 Cisco Systems, Inc. All rights reserved.

Guest Path Isolation

2009 Cisco Systems, Inc. All rights reserved.

Check the status of the mobility anchors for the WLAN

2009 Cisco Systems, Inc. All rights reserved.

Guest Path Isolation