64
© 2006, Cisco Systems, Inc. All rights reserved. 14498_04_2008_c2.scr © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public BRKAGG-2016 14498_04_2008_c2 2 Designing Guest Access with the Cisco Unified Wireless Network BRKAGG-2016

Designing Guest Access with the Cisco Unified Wireless Network

  • Upload
    others

  • View
    7

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-201614498_04_2008_c2 2

Designing Guest Access with the Cisco Unified Wireless Network

BRKAGG-2016

Page 2: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and Requirements

Guest Access in the Campus1. Access Control

2. Path Isolation

3. Services Edge

Unified Wired and Wireless Guest Access

Cisco NAC Guest Server

Guest Access Use Cases

Q&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKAGG-201614498_04_2008_c2

Drivers for Guest Network Access

Visitor Access for VPN

Providing a Positive Visitor Experience

Streamlining IT Management and Control

GuestAccess

Internet Access for Customers

Contractor Secured Internal Network

Access

On-Site Vendor Demos

Segmenting Visitors from Subsidiaries

Network Integrity and Security

Customized Access

Simplified Network Design

Cost-Effective Deployment and

Operations

Balancing the Needs of Guest Users and IT Departments

Page 3: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKAGG-201614498_04_2008_c2

The Challenge of the “Guest” User

Guest traffic should be segregated from the internal network

Limited internal network access must be extended to guest securely

“Guest network” must be cost-effective and non-disruptive

Must not require guest desktop software or configuration

Data Center

Internal Network

VisitorVendor,

Contractor, etc.

Internet

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKAGG-201614498_04_2008_c2

Types of Network Users

CorporateEmployees

• Need internal network access

• Can be role based to allow granular access if needs require

• Need restricted internal access

• Printers

• File shares

• Specific applications

• Device support

Contractors/Consultants

GuestsUsers

• Internet access only

• No need to access internal systems

• Segment access completely

FullAccess

InternetOnlyCisco Guest Services Give You Control

Page 4: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKAGG-201614498_04_2008_c2

Network Virtualization Functional Architecture

Authenticate client (user, device, app) attempting to gain network access

Authorize client into a Partition (VLAN, ACL)

Deny access to unauthenticated clients

Access Control Path Isolation Services Edge

WAN—MAN—Campus

Functions

Branch—Campus Data Center—Internet Edge—Campus

VRFs

GRE MPLS

Maintain traffic partitioned over Layer 3 infrastructureTransport traffic over isolated Layer 3 partitions

Map Layer 3 Isolated Path to VLANs in Access and Services Edge

Provide access to services:

SharedDedicated

Apply policy per partitionIsolate Application environments if necessary

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access ControlWired ClientsWireless Clients

2. Path Isolation3. Services Edge

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

Page 5: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKAGG-201614498_04_2008_c2

Access ControlWired Clients

Static guest VLANconfiguration

Ports may end up being underutilized

802.1x guest VLAN Allows clients not equipped with 802.1x supplicant access to the network

802.1x auth-failed VLANAllows clients failing 802.1x authentication access to the network

802.1x features tested with Windows embedded 802.1x supplicant and Cisco Secure Services Client (CSSC)

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKAGG-201614498_04_2008_c2

Access Control802.1x Guest VLAN

Any 802.1x-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)

A device is only deployed into the guest VLAN based on the lack of response to the switch’s EAP-Request-Identity frames (which can be thought of as 802.1x hellos)

No further security or authentication to be applied; it’s as if the administrator de-configured 802.1x, and hard-set the port into the specified VLAN

Client802.1x

Process

EAP-Identity-RequestD = 01.80.c2.00.00.03

EAP-Identity-RequestD = 01.80.c2.00.00.03

EAP-SuccessD = 01.80.c2.00.00.03

2

3

Upon link up

30-seconds

30-seconds

Note: The Timer Values Displayed Above Are the Default and Can Be Tuned

XX EAP-Identity-Request

D = 01.80.c2.00.00.03

4

30-seconds

X

1

Port Deployed into the

Guest VLAN

Page 6: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKAGG-201614498_04_2008_c2

Access Control802.1x Guest-VLAN Parameters

The configurable values for the parameters are:

Configuring the minimum values, a switch port can be deployed into the guest VLAN in two seconds

max-reauth-req 1–10tx-period 1–65535 sec.

Cisco Catalyst 2950: 12.1(22)EA5Cisco Catalyst 3560: 12.2(25)SEECisco Catalyst 3750: 12.2(25)SEECisco Catalyst 4500: 12.2.(31)SGCisco Catalyst 6500 (CatOS): 8.1(1)

Minimum SW VersionRequired for Consistency

set vlan 2 2/1set port dot1x 2/1 port-control autoset port dot1x 2/1 guest-vlan 10set spantree portfast 2/1 enableset dot1x max-req 1set dot1x tx-period 1

interface FastEthernet0/1switchport access vlan 2switchport mode accessdot1x port-control autodot1x timeout tx-period 1dot1x max-reauth-req 1dot1x guest-vlan 10spanning-tree portfast

Cisco IOS CatOS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKAGG-201614498_04_2008_c2

Access Control802.1x Auth-Fail VLAN

The authenticator (access switch) counts the failed authentication attempts for the clientWhen this count exceeds the configured maximum number of authentication attempts (default is 3), the port is deployed into the auth-fail VLANAt that point the client can pull an IP address and gain network connectivity

Page 7: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKAGG-201614498_04_2008_c2

Access ControlDeploying 802.1x Auth-Fail VLAN

In a guest access scenario, auth-fail VLAN should be configured with the same value of guest VLAN

Allows visitors to get network access independently from the support of 802.1x on their machine

set vlan 2 2/1set port dot1x 2/1 port-control autoset port dot1x 2/1 guest-vlan 10set port dot1x 2/1 auth-fail-vlan 10set spantree portfast 2/1 enable

interface FastEthernet0/1switchport access vlan 2switchport mode accessdot1x port-control autodot1x guest-vlan 10dot1x auth-failed vlan 10spanning-tree portfast

Cisco IOS CatOS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKAGG-201614498_04_2008_c2

Access Control End-to-End Wired Traffic Isolation

The factVLAN isolation ceases to exist once we reach the first L3 hop (usually the Distribution Layer device)

The challenge How to provide end-to-end guest traffic isolation, allowing Internet access but preventing any other communications?

Page 8: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access ControlWired ClientsWireless Clients

2. Path Isolation3. Services Edge

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKAGG-201614498_04_2008_c2

Access Control Wireless Clients

How does a wireless user connect to the network?

Associate to the access point using an SSIDFor each defined SSID we can have a different authentication method (EAP type)

Guest user associates using to Open Guest SSID

Easiest deployment, no configuration required on the client side

SSID—Service Set Identifier

Page 9: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKAGG-201614498_04_2008_c2

Access Control Standalone AP Deployments

Use of a 802.1Q trunk for switch to AP connection to carry all the defined VLANs (one VLAN per SSID)Isolation of guest traffic in the L2 domain using a dedicated guest VLAN associated to the guest SSIDTraffic isolation provided by VLANs is valid up to the first L3 hop device

Distribution layer (Multilayer Campus design)Access layer (Routed Access Campus design)

WirelessVLANs

Campus Core

Guest Emp Guest Emp

EmpGuest EmpGuest

SSIDs SSIDs

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKAGG-201614498_04_2008_c2

Access Control Standalone AP Deployments

Access Point Access Layer Switch Distribution Layer Switch

Define a Trunk Between AP and

Access Layer Switch

dot11 vlan-name Emp vlan 3dot11 vlan-name Guest vlan 4!dot11 ssid Employeevlan 3authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa!dot11 ssid Guestvlan 4authentication open guest-mode!interface Dot11Radio0no ip addressno ip route-cache! encryption vlan 10 mode ciphers tkip!ssid Employee!ssid Guest

vlan 2name AP_Mgmt!vlan 3name Employee_VLAN!vlan 4name Guest_VLAN!interface FastEthernet0/1description Trunk to APswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 2,3,4switchport mode trunk

vlan 2name AP_Mgmt

!vlan 3name Employee_VLAN

!vlan 4name Guest_VLAN

!interface Vlan2description AP_Mgmtip address 10.10.2.1 255.255.255.0

!interface Vlan3description Employee_VLANip address 10.10.3.1 255.255.255.0

!interface Vlan4description Guest_VLANip address 10.10.4.1 255.255.255.0

Map SSIDs to VLANs Locally on the AP

SVIs for Each SSID are Defined on First L3

Hop Device

SVI—Switched Virtual Interface

Page 10: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKAGG-201614498_04_2008_c2

Access Control Cisco WLAN Controller Deployments

LWAPP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)

Same LWAPP tunnel used for data traffic of different SSIDs

Control and data traffic tunneled to the controller via LWAPP: data uses UDP 12222, control uses UDP 12223

Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID

Traffic isolation provided by VLANs is valid up to the switch where the controller is connected

Campus Core

LWAPP LWAPP

WiSM WLAN Controller

Guest Emp Guest EmpLWAPP—Lightweight Access Point Protocol

WirelessVLANs

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKAGG-201614498_04_2008_c2

Access Control WLAN Controller Deployments

vlan 2name AP_Mgmt

!interface FastEthernet0/1description link to APswitchport access vlan 2switchport mode access

Access Layer Switch

vlan 3name Employee_VLAN

!vlan 4name Guest_VLAN!interface Vlan3description Employee_VLANip address 10.10.3.1 255.255.255.0

!interface Vlan4description Guest_VLANip address 10.10.4.1 255.255.255.0

!interface GigabitEthernet1/0/1description Trunk Port to Cisco WLCswitchport trunk encapsulation dot1qswitchport trunk native vlan 2switchport trunk allowed vlan 2-4switchport mode trunkno shutdown

Cisco Catalyst Switch(Connected to WLAN Controller)

No Trunk Between AP and Access Layer Switch, Only

AP Mgmt VLAN Defined

SVIs Corresponding to Each SSID Are Defined Here

Page 11: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKAGG-201614498_04_2008_c2

Access Control WLAN Controller Deployments

Create the employee and guest VLAN in the controller

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKAGG-201614498_04_2008_c2

Access Control WLAN Controller Deployments

Map the employee WLAN in the controller to the respective employee VLAN

Page 12: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKAGG-201614498_04_2008_c2

Access Control WLAN Controller Deployments

Map the guest WLAN in the controller to the respective guest VLAN

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKAGG-201614498_04_2008_c2

LWAPP

LWAPP

Standalone APLWAPP AP

LWAPP AP

Access Control End-to-End Wireless Traffic Isolation

The factVLAN isolation for standalone APs valid up to the first L3 hop

Traffic isolation achieved via LWAPP valid from the AP to the WLAN Controller (centralized deployment is recommended)

The challenge How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?

Page 13: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation

Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels

3. Services Edge

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKAGG-201614498_04_2008_c2

Path Isolation Why Do We Need It for Guest Access?

Extend traffic logical isolation end-to-end over L3 network domain

Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, etc.)

Securely transport the guest traffic across the internal network infrastructure

LWAPP

LWAPP

Page 14: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKAGG-201614498_04_2008_c2

Path Isolation Distributed ACLs for Wired and Wireless Clients

Routed ACLs (RACLs) defined on the first L3 edge devices

Distribution Layer: Multilayer DesignAccess Layer: Routed Access Design

Apply to wired and wireless trafficFor hub-n-spoke connectivity

ip access-list extended Guest_RACL

10 permit udp any any eq bootps

20 permit udp any host <DNS-Svr> eq domain

30 permit tcp any host <web-auth-dev> eq www

40 deny ip any 10.0.0.0 0.255.255.255

50 deny ip any 172.16.0.0 0.15.255.255

60 deny ip any 192.168.0.0 0.0.255.255

70 permit ip any any

! Apply RACL to the SVI on the first L3 hop

interface Vlan50

description Wired-guest-floor1

ip address 10.124.50.2 255.255.255.0

ip access-group GUEST-RACL in

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKAGG-201614498_04_2008_c2

Path Isolation Distributed ACLs—Pros and Cons

ProsHW-based forwarding

Simple initial deployment

Similar ACEs on each edge device

Supports wired and wireless clients (independently also from wireless deployment)

ConsGuest traffic handled in the global routing table

Prone to config errors

IT departments uncomfortable with allowing guest traffic in the internal network (global table)

Page 15: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation

Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels

3. Services Edge

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKAGG-201614498_04_2008_c2

Path IsolationDevice and Data Path Virtualization

Device VirtualizationControl Plane Virtualization

Data Plane Virtualization

Services Virtualization

Data Path VirtualizationSingle-hop

Multi-hop

VRFVRF

Global

IP

802.1q, DLCIVPI/VCI PW, VFI

Logical or Physical Int

(Layer 3)

Logical or Physical Int(Layer 3)

VRF—Virtual Routing and Forwarding

Page 16: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKAGG-201614498_04_2008_c2

Path Isolation VRF-Lite and GRE Tunnels

Hub-and-spoke overlay network

Point-to-point GRE interfaces on each spoke (spoke-to-spoke communication not required)

Point-to-point or multipoint GRE on the hub

Routing protocol (EIGRP or OSPF) running in the context of Guest VRF

Default-route only for the spokes

Hub knows all the remote guest subnets

Preventing inter-subnet communication at the hub (when needed)

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKAGG-201614498_04_2008_c2

Path Isolation Use of p2p GRE Technology (Hub and Spokes)

Hub Configurationip vrf guestrd 100:1!interface Tunnel0description GRE to spoke 1ip vrf forwarding guestip address 192.168.100.1 255.255.255.0no ip redirectstunnel source Loopback0tunnel destination 10.123.100.1!interface Tunnel1description GRE to spoke 2ip vrf forwarding guestip address 192.168.101.1 255.255.255.0no ip redirectstunnel source Loopback1tunnel destination 10.123.100.2

Spoke Configurationip vrf guestrd 100:1!interface Tunnel0description GRE to hub 1ip vrf forwarding guestip address 192.168.100.2 255.255.255.0tunnel source Loopback100tunnel destination 10.126.100.1!interface Tunnel1description GRE to hub 2ip vrf forwarding guestip address 192.168.200.2 255.255.255.0tunnel source Loopback200tunnel destination 10.126.200.1!interface Vlan10description Guest Subnetip vrf forwarding guestip address 10.10.10.1 255.255.255.0

Page 17: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKAGG-201614498_04_2008_c2

Path Isolation Enabling a Routing Protocol

EIGRP

router eigrp 100

no passive-interface Tunnel0

no passive-interface Tunnel1

no auto-summary

!

address-family ipv4 vrf guest

network 172.32.1.0 0.0.0.255

no auto-summary

autonomous-system 100

exit-address-family

router ospf 1 vrf guest

log-adjacency-changes

passive-interface default

no passive-interface Tunnel0

no passive-interface Tunnel1

network 172.32.1.0 0.0.0.255 area 0

OSPF

EIGRP Leverages Address-Families to

Enable Routing Across Different VRFs

OSPF Defines a Separate Process for Each Configured VRF

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKAGG-201614498_04_2008_c2

Path Isolation VRF-Lite and GRE Tunnels

ProsTrue routing and forwarding segmentation

Simplifies path differentiation (different default route used for employees and guests)

Supports wired and wireless clients (independently from the specific wireless deployment)

ConsLimited GRE support on Cisco Catalyst platforms

Limited scalability: recommended for hub-and-spoke deployments

Page 18: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation

Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels

3. Services Edge

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKAGG-201614498_04_2008_c2

Path IsolationVRF-Lite End-to-End

VRF-lite on all routed hops: core and distribution

802.1q tags provide single hop data path virtualization

Every link is an 802.1q trunk

These trunks do not extend VLANs throughout the campus

Trunks used to virtualized data path between multiple virtual routers

Every physical link carries multiple logical routed links

Layer 3L2

L2

802.1q

Multi-VRF

802.1q Trunks

Routed HopsNot Bridged

Page 19: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKAGG-201614498_04_2008_c2

Path IsolationVRF-Lite End-to-End

ProsTrue routing and forwarding segmentationSimplifies path differentiation (different default route used for employees and guests) Supports wired and wireless clients (independently from the specific wireless deployment)Widely supported across Cisco Catalyst platforms

ConsLimited scalability: recommended for a low number of VPNs (up to 10–12)Limited multicast support in the context of a VRF (6500 only)

Layer 3L2

L2

802.1q

Multi-VRF

802.1q Trunks

Routed HopsNot Bridged

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation

Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels

3. Services Edge

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

Page 20: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKAGG-201614498_04_2008_c2

Path Isolation WLAN Controller Deployments with EoIP Tunnel

Use of EoIP tunnels to logically segment and transport the guest traffic between edge and anchor controllersOther traffic (employee for example) still locally bridged at the edge controller on the corresponding VLANNo need to define the guest VLANs on the switches connected to the edge controllersOriginal guest’s Ethernet frame maintained across LWAPP and EoIP tunnelsRedundant EoIP tunnels to the Anchor WLC2106 model can’t terminate EoIP connections (no anchor role)

Guest WLANController (Anchor)

Campus Core

EoIP“Guest Tunnel”

EoIP“Guest Tunnel”

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40

Path Isolation How to Do EoIP Tunneling

Specify a mobility group for each WLC

Open ports for:Inter-Controller Tunneled Client DataInter-Controller Control Traffic

Configure the mobility groups and add the MAC-address and IP address of the remote WLC

Create the Mobility Anchor for the Guest WLAN

Modify the timers in the WLCs

Check the status of the Mobility Anchors for the WLAN

ProsSimple configurationOverlay solution: no need to modify the network configuration

ConsSupport for wireless and wired (layer-2 adjacent) guest clients onlyLimited to WLAN Controllers wireless deployments

Page 21: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKAGG-201614498_04_2008_c2

Path Isolation WLAN Controller Deployments with EoIP Tunnel

Each WLC is part of a mobility group

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKAGG-201614498_04_2008_c2

Path Isolation Firewall Ports

Open ports for:Inter-Controller Tunneled Client Data IP Protocol 97

Inter-Controller Control Traffic UDP Port 16666 (or 16667, if encrypted)

Optional management/operational protocols:SSH/Telnet TCP Port 22/23

TFTP UDP Port 69

NTP UDP Port 123

SNMP UDP Ports 161 (gets and sets) and 162 (traps)

HTTPS/HTTP TCP Port 443/80

Syslog TCP Port 514

These Ports Must

be Open!

Page 22: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKAGG-201614498_04_2008_c2

Path Isolation WLAN Controller Deployments with EoIP Tunnel

Configure the mobility groups and add the MAC-address and IP address of the remote WLC

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKAGG-201614498_04_2008_c2

Path Isolation WLAN Controller Deployments with EoIP Tunnel

Create the mobility anchor for the guest WLAN

Page 23: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKAGG-201614498_04_2008_c2

Path Isolation WLAN Controller Deployments with EoIP Tunnel

Modify the timers in the WLCs

Check the status of the mobility anchors for the WLAN

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKAGG-201614498_04_2008_c2

interface Ethernet0/1

nameif insidesecurity-level 100

ip address 10.10.60.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.10.51.1 255.255.255.0

!

access-list DMZ extended permit udp host 10.10.51.2 host 10.10.60.2 eq 16666

access-list DMZ extended permit udp host 10.10.51.2 host 10.10.60.2 eq 16667

access-list DMZ extended permit 97 host 10.10.51.2 host 10.10.60.2

!

global (dmz) 1 interface

nat (inside) 1 10.10.60.0 255.255.255.0

static (inside,dmz) 10.10.60.2 10.10.60.2 netmask 255.255.255.255

access-group DMZ in interface dmz

Path Isolation Sample Firewall Configuration

Page 24: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKAGG-201614498_04_2008_c2

Show Commands(Cisco Controller) >show mobility summary

Symmetric Mobility Tunneling (current) .......... Disabled

Symmetric Mobility Tunneling (after reboot) ..... Disabled

Mobility Protocol Port........................... 16666

Mobility Security Mode........................... Disabled

Default Mobility Domain.......................... mobile-10

Mobility Keepalive interval...................... 10

Mobility Keepalive count......................... 3

Mobility Group members configured................ 3

Controllers configured in the Mobility Group

MAC Address IP Address Group Name Status

00:18:73:34:b2:60 10.10.75.2 mobile-9 Up

00:18:73:34:b3:00 10.10.76.2 mobile-9 Up

00:18:b9:ea:a7:20 10.10.80.3 <local> Up

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKAGG-201614498_04_2008_c2

Show Commands(Cisco Controller) >show mobility anchor 2Mobility Anchor Export List

WLAN ID IP Address Status

2 10.10.75.2 Up

2 10.10.76.2 Up

(Cisco Controller) >show mobility statistics

Global Mobility Statistics

Rx Errors .................................... 11591

Tx Errors .................................... 0

Responses Retransmitted ...................... 0

Handoff Requests Received .................... 0

Handoff End Requests Received ................ 8

State Transitions Disallowed.................. 0

Resource Unavailable.......................... 0

Mobility Initiator Statistics

Handoff Requests Sent ........................ 258

Handoff Replies Received ..................... 0

Handoff as Local Received .................... 0

Page 25: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKAGG-201614498_04_2008_c2

Show Commands—Remote and Anchor WLC

(Cisco Controller) >show client detail 00:40:96:ad:0d:1b

Client MAC Address............................... 00:40:96:ad:0d:1b

Client Username ................................. N/A

AP MAC Address................................... 00:14:1b:59:3f:10

Client State..................................... Associated

Wireless LAN Id.................................. 1

BSSID............................................ 00:14:1b:59:3f:1f

Channel.......................................... 64

IP Address....................................... Unknown

Association Id................................... 1

Authentication Algorithm......................... Open System

Reason Code...................................... 0

Status Code...................................... 0

Session Timeout.................................. 0

Client CCX version............................... 5

Client E2E version............................... No E2E support

Mirroring........................................ Disabled

QoS Level........................................ Silver

Mobility State................................... Export Foreign

Mobility Anchor IP Address....................... 10.10.75.2

Mobility Move Count.............................. 0

Security Policy Completed........................ Yes

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

NPU Fast Fast Notified........................... Yes

Policy Type...................................... N/A

Encryption Cipher................................ None

Management Frame Protection...................... No

EAP Type......................................... Unknown

Interface........................................ guest-vlan

VLAN............................................. 60

(Cisco Controller) >show client detail 00:40:96:ad:0d:1b

Client MAC Address............................... 00:40:96:ad:0d:1b

Client Username ................................. guest1

AP MAC Address................................... 00:00:00:00:00:00

Client State..................................... Associated

Wireless LAN Id.................................. 2

BSSID............................................ 00:00:00:00:00:01

Channel.......................................... N/A

IP Address....................................... 10.10.77.48

Association Id................................... 0

Authentication Algorithm......................... Open System

Reason Code...................................... 0

Status Code...................................... 0

Session Timeout.................................. 0

Mirroring........................................ Disabled

QoS Level........................................ Silver

Mobility State................................... Export Anchor

Mobility Foreign IP Address...................... 10.10.50.2

Mobility Move Count.............................. 1

Security Policy Completed........................ Yes

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

NPU Fast Fast Notified........................... Yes

Policy Type...................................... N/A

Encryption Cipher................................ None

Management Frame Protection...................... No

EAP Type......................................... Unknown

Interface........................................ guest

VLAN............................................. 77

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKAGG-201614498_04_2008_c2

Path Isolation WLAN Controller Deployments with EoIP Tunnel

EoIP tunnels transport guest traffic between edge and anchor controllers

Original guest’s Ethernet frame maintained across LWAPP and EoIP tunnels

ProsSimple configuration

Overlay solution: no need to modify the network configuration

ConsSupport for wireless guest clients only

Limited to WLAN controllers wireless deployments

Page 26: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and Requirements

Guest Access in the Campus1. Access Control

2. Path Isolation

3. Services Edge

Unified Wired and Wireless Guest Access

Cisco NAC Guest Server

Guest Access Use Cases

Q&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKAGG-201614498_04_2008_c2

Services EdgeGuest Network Services

Guest Default Route

Global Default Route

Providing network services to guest users in a centralized locationDedicated DHCP ad DNS services still controlled by the host organization

DNS services offered by external serverDHCP services offered by external server or web-auth appliance

Separate FW dedicated to Guest

FW in routed mode: NAT/PAT to return traffic through the proper FWFW in transparent mode: static routes required on Internet router

Page 27: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKAGG-201614498_04_2008_c2

Web-Authentication for Guest UsersTechnical Requirements

Common web-authentication system for wired and wireless clients

Deployed in a centralized fashion: authentication and authorization on a centralized in-band device

Record the activity of guest users while connected to the Enterprise network

Force the acceptance of Enterprise legal disclaimer before getting Internet connectivity

Used for billing purposes (in some cases)

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKAGG-201614498_04_2008_c2

IT Admin Function

Guest User Function

Employee Function

IT Admin Functions

Components of a Guest Access Solution

NetworkSegmentation

UserProvisioning

UserLogin Portal

Reporting,Billing

User PolicyManagement

Tunnels or VLANs

Differentiated access by user

Guest

Guest provisioning web portal

Guest user intercept web auth portal

Audit trailsBilling integration

Page 28: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation3. Services Edge

Network SegmentationUser ProvisioningUser Login PortalReporting/Billing

Unified Wired and Wireless Guest AccessGuest Access Use CasesQ&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKAGG-201614498_04_2008_c2

Network Segmentation

Using EoIP Pings (data path) functionality Anchor WLC reachability will be determinedForeign WLC will send pings at configurable intervals to see if Anchor WLC is aliveOnce an Anchor WLC failure is detected a DEAUTH is send to the clientRemote WLC will keep on monitoring the Anchor WLCUnder normal conditions round-robin fashion is used to balance clients between Anchor WLCs

Campus Core

EtherIP“Guest Tunnel”

EtherIP“Guest Tunnel”

LWAPP LWAPP

Internet

Guest Secure Guest Secure

Secure Secure

WirelessVLANs

Guest VLAN 10.10.60.x/24Management 10.10.80.3

Management10.10.75.2

Management10.10.76.2

F1

A1 A2

Primary LinkRedundant Link

Page 29: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKAGG-201614498_04_2008_c2

Guest Network Bandwidth Contracts

Specify bandwidth limitations and policies by individual user or groupAbility to allocate resources by specific job function or throughput requirementsOrganization’s overall network performance is enhancedIncreased granularity and control improves network security

Guest Emp

WirelessVLANs

Campus Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp

SiSi

Anchor Controller

Guest Emp

Emp

WLC

Accounting Contractor: (Best Effort)

Network Admin Contractor:

4Mbps (High Speed)

SSID = ACCT SSID = CONTRACTOR

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation3. Services Edge

Network SegmentationUser ProvisioningUser Login PortalReporting/Billing

Unified Wired and Wireless Guest AccessGuest Access Use CasesQ&A

Page 30: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKAGG-201614498_04_2008_c2

Web-based multi-device managementDesigned for more feature-rich and multiple controller deploymentsFull-featured user schedulingProvision users by physical area

Web-based management GUI served from WLAN ControllerDesigned for small, single Controller deploymentsBasic user scheduling

User Policy Management Options

Versatile Management for Any Deployment Environment

Integrated Device Management Cisco Wireless Control System

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKAGG-201614498_04_2008_c2

Services Edge Create the Lobby Admin in WLC

Lobby administrator can be created in WLC directlyCampus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WLC

Page 31: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKAGG-201614498_04_2008_c2

Services Edge Add a “Guest” User on the WLC

Guest User List New

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKAGG-201614498_04_2008_c2

Bandwidth policies can be created in WCS using Controller Templates under

Configure --> Controller Templates --> System --> User Roles

Services Edge Creating the Bandwidth Contract

Page 32: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKAGG-201614498_04_2008_c2

Services Edge Lobby Ambassador Feature in WCS

User created in WCS with Lobby Ambassador (LA) privilege

Lobby Ambassador user logs into the WCS to create guest user accounts

Campus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WCS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKAGG-201614498_04_2008_c2

Services Edge Lobby Ambassador Feature in WCS

Associate the lobby admin with some default information

Page 33: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKAGG-201614498_04_2008_c2

Services Edge Add a Guest User

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKAGG-201614498_04_2008_c2

Services Edge Print/E-Mail Details of Guest User

Page 34: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKAGG-201614498_04_2008_c2

Services Edge Schedule a Guest User

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKAGG-201614498_04_2008_c2

Services Edge Details About the Guest User(s)

Page 35: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation3. Services Edge

Network SegmentationUser ProvisioningUser Login PortalReporting/Billing

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKAGG-201614498_04_2008_c2

How to Implement User Login Portal

Simple and CustomizableUpload an HTML file from the Wireless Control System (WCS) to the WLAN Controller The login portal is then served from WLAN Controller or external server

Additional ConsiderationsTo help reduce help desk calls:

–Login failure message portal–Logout verification message portal

WirelessVLANSs

Campus Core

LWAPP LWAPP

Internet

SiSi

SiSi SiSiEmp Emp

Guest Emp Guest Emp

WLCWCS

Guest

Guest WirelessClient

Page 36: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKAGG-201614498_04_2008_c2

Services Edge Web Portal—Internal to WLC

Internal web login page in WLCCampus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

GuestWLC

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKAGG-201614498_04_2008_c2

Services Edge Web Portal—External Web Server

Web portal in an external web serverCampus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

EternalWeb Server WLC

Page 37: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKAGG-201614498_04_2008_c2

Services Edge Configuring Customized WebAuth in WCS

Download a sample copy of the customized webauth page from WCS

Customize the webauth page as per your requirements

Upload the newly customized webauth page to the Anchor WLC

Campus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WCS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKAGG-201614498_04_2008_c2

Services Edge Configuring Customized WebAuth in WCS

Upload the customized web page to the Anchor WLCCustomized webauth bundle can contain

22 login pages (16 WLANs and 5 Wired LANs)22 login failure pages (in WCS 5.0)22 login successful pages (in WCS 5.0)

Campus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WCS

Page 38: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKAGG-201614498_04_2008_c2

Services Edge Sample Customized WebAuth in WCS

Sample webauth bundle with customized login.html, logout.html and loginfailure.html file

Campus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WCS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKAGG-201614498_04_2008_c2

Services Edge Using the Customized WebAuth files in WLC

Select the login.html, logout.html and loginfailure.html file in the WLAN configuration of the WLC

Page 39: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKAGG-201614498_04_2008_c2

Services Edge Guest User Database—Internal

Configure the local internal database of the WLC

2048 usernames can be stored in the database per WLC

Guest usernames are deleted automatically after the activity period

Campus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

GuestWLC

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKAGG-201614498_04_2008_c2

Services Edge Guest User Database—External RADIUS

External RADIUS server can be used to store guest usernames and passwords

Change the WLAN configuration to check the external RADIUS server for authentication

Campus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

RADIUSServer WLC

Page 40: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKAGG-201614498_04_2008_c2

Services Edge Web Login Page on the Client

Wireless guest user associates to the guest SSID

Initiates a browser connection to any website

Web login page will displayedCampus

Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WCS WLC

Guest WirelessClient

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and RequirementsGuest Access in the Campus

1. Access Control2. Path Isolation3. Services Edge

Network SegmentationUser ProvisioningUser Login PortalReporting/Billing

Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A

Page 41: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKAGG-201614498_04_2008_c2

Guest User Log—Anchor Controller(WiSM-slot1-2) >config msglog level verbose

(WiSM-slot1-2) >show msglog

Message Log Severity Level ...................... VERBOSEFri Nov 3 15:08:06 2006 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'admin'Fri Nov 3 15:07:01 2006 [VERBOSE] pem_api.c 5839: Guest user logged out with user account (guest123) MAC Addr 00:40:96:ad:12:39 IP Address

172.20.225.149Fri Nov 3 15:06:11 2006 [VERBOSE] pem_api.c 5761: Guest user logged in with user account (guest123) MAC Address 00:40:96:ad:12:39 IP Address

172.20.225.149Fri Nov 3 15:06:11 2006 [SECURITY] aaa.c 666: Authentication succeeded for net work user 'guest123'Fri Nov 3 15:05:30 2006 [VERBOSE] apf_foreignap.c 1075: Guest user with MAC Address 00:40:96:ad:12:39 assigned IP Address 172.20.225.149

SYSLOG Server

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKAGG-201614498_04_2008_c2

Audit Trail in WCS

Page 42: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKAGG-201614498_04_2008_c2

Wireless Guest Access—Deployment Options

EoIP

DMZ WLC

WCS

WCS

Internet

LAN LAN

Internet

LAN

Internet

Cisco Standalone APs

Cisco Unified Wireless—No

DMZ Controller

Cisco Unified Wireless—

DMZ ControllerProvisioning Portal No Yes YesUser Login Portal No Yes Yes

Traffic Segmentation VLANs thru Network

VLANs thru Network

Yes—Tunnels or VLANs

User Policy Management No Yes YesReporting No Yes YesOverall Functionality Low Medium HighOverall Design Complexity Medium Medium Low

Standalone No DMZ WLC DMZ WLC

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and Requirements

Guest Access in the Campus

Unified Wired and Wireless Guest Access

Cisco NAC Guest Server

Guest Access Use Cases

Q&A

Page 43: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKAGG-201614498_04_2008_c2

Unified Wired and Wireless Guest Access

Controller software version 4.2 and above provides one unified solution for both wired and wireless guest access

Allows organizations to leverage existing wireless infrastructure to provide guest access on the LAN

Universal provisioning interface and captive portal provides ease of guest user provisioning and consistent network access

Enables the ability to leverage common guest user policies for both wired and wireless network access

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKAGG-201614498_04_2008_c2

Unified Wired and Wireless Guest Access

WirelessVLANs

Campus Core

EtherIP“Guest

Tunnel”

EtherIP“Guest Tunnel”

LWAPP LWAPP

Internet

Secure Secure

Guest Secure Guest SecureWired Client

Layer-2 Switch

Page 44: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKAGG-201614498_04_2008_c2

Wired Guest Access Deployment Requirements

Five guest LANs for wired guest access will be supported

Admin can create wired guest VLANs on the WLC and associate it with the guest LAN

Web-auth will be the default security on a wired guest LAN, but open and web pass-thru is also supported

No L2 security is supported, like 802.1x

Multicast and broadcast traffic will be dropped on wired guest VLANs

Wired guest access will be supported on a single guest WLC scenario or Anchor-Foreign Guest WLC scenario

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKAGG-201614498_04_2008_c2

Wired Guest Access Supported Platforms

Cisco 4400 Wireless LAN Controller

Cisco Catalyst 6500 Series Wireless Services Module (WiSM)

Cisco Catalyst 3750G Integrated Wireless LAN Controller

Wired Guest Access Is Supported in the Following Platforms:

Page 45: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKAGG-201614498_04_2008_c2

Wired Guest Access Deployment Requirements

Wired guest plugs into specified guest port (i.e. in EBC, guest cube, training center, etc.)Create a Layer 2 VLAN on the access layer switch

cat6506#sh vlan id 49

VLAN Name Status Ports

----------------------------------------------------------------------------

49 VLAN0049 active Gi2/1, Gi2/2, Gi2/4, Gi2/35

Gi2/39, Fa4/24

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

--------------------------------------------------------------------

49 enet 100049 1500 - - - - - 0 0

interface FastEthernet4/24

description Wired Guest Access

switchport

switchport access vlan 49

no ip address

end

interface GigabitEthernet2/4

description Trunk port to the WLC

switchport

switchport trunk native vlan 2

switchport trunk allowed vlan 2,3,4,49

switchport mode trunk

no ip address

end

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKAGG-201614498_04_2008_c2

Wired Guest Access Deployment Requirements

Create a dynamic interface as guest LAN which will be the ingress interfaceDHCP server information is not requiredDHCP server information is required on the egress dynamic interface

Page 46: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKAGG-201614498_04_2008_c2

Wired Guest Access Config

Create the wired guest LAN

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKAGG-201614498_04_2008_c2

Wired Guest Config

Assign the ingress and egress interface

Ingress interface is the wired guest LAN

Egress interface could be the management or any dynamic interface

Page 47: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKAGG-201614498_04_2008_c2

Wireless and Wired Guest Config

Wireless and wired guest WLAN

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and Requirements

Guest Access in the Campus1. Access Control

2. Path Isolation

3. Services Edge

Unified Wired and Wireless Guest Access

Cisco NAC Guest Server

Guest Access Use Cases

Q&A

New!

Page 48: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKAGG-201614498_04_2008_c2

Cisco NAC Guest Server

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKAGG-201614498_04_2008_c2

Access Network Enforcement

Guest Lifecycle Management

Cisco’s Unified Guest Access Solution

User

Sponsor

Secure Catalyst Switch

Access Point Wireless LAN

Controller

NAC Appliance

NAC Guest Server

New!

Cisco WCS

Page 49: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKAGG-201614498_04_2008_c2

NAC Guest Server Overview

NAC guest server appliance provides integrated guest access provisioning, management, and reporting

Part number: NAC3310-GUEST-K9

Purpose-built appliance that is easy to deploy and simple to manage and use

Integrates seamlessly with NAC and WLC deployments for wired or wireless guest access

Provides an advanced guest access feature set

Allows easy and secure creation of guest user accounts

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKAGG-201614498_04_2008_c2

Cisco Wireless Guest Access Solutions

Cost

NACGuest Server

Enhanced, Enterprise-Grade

Guest Provisioning

Wireless LANControllers using Integrated

WLC Management

Func

tiona

lity

Advanced Guest Provisioning &

Reporting

Basic, Small Deployment

Wireless LANControllers

Cisco WCS

Wireless LANControllers

Increased Guest User Security & ControlNAC ApplianceAdd to AnyGuest Deployment

New!

Page 50: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKAGG-201614498_04_2008_c2

Cisco Wired Guest Access Solutions

NACGuest ServerWireless LAN

ControllersCisco WCS

Advanced Guest Provisioning & Reporting

NAC Guest Server New!

NACAppliance

Increased Guest User Security & Control

NAC Appliance

Deploying NAC-based approach natively includes:

Advanced Guest Provisioning & ReportingIncreased Guest User Security & Control

New!

Cost

Func

tiona

lity

Dynamic Wired Port

DeploymentStatic Wired Port

Deployment

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKAGG-201614498_04_2008_c2

Adding NAC Guest Server to WLAN Controller Deployment

Provisioning personnel creates profile in NGS appliance

Guest connects to “guest” SSID and authenticates to the captive portal provided by the WLC

Guest credentials are stored on NGS; WLC performs checks credentials via RADIUS to NGS

DMZ WLANController

Campus Core

EtherIP“Guest Tunnel”

EtherIP“Guest Tunnel”

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

NAC GuestServer

Page 51: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKAGG-201614498_04_2008_c2

NAC Guest Server Admin Interface

Admin portal is required to configure the deviceTo access Admin portal use http(s)://ip.addr/admin

Main Page After Logging In

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKAGG-201614498_04_2008_c2

Sponsor Authentication: Local Account/AD

The sponsor account can be a local user in NGS or Active Directory Account

Page 52: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKAGG-201614498_04_2008_c2

Guest Policy: Username/Password Policy

Username Policy1. E-mail address2. First and last name3. Alphabetic, numeric

and special characters

Password Policy 1. Alphabetic characters2. Numeric characters3. Special characters

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKAGG-201614498_04_2008_c2

WLC Integration: Guest Server Configuration

Add the WLC as a NAS in the NGS

NGS uses standard RADIUS Attribute 27 (session-timeout)

Page 53: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105BRKAGG-201614498_04_2008_c2

Informing Guest

Sponsor will have three ways to inform guest 1) Printing the details

2) Sending the details via e-mail

3) Sending the details via SMS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106BRKAGG-201614498_04_2008_c2

Sponsor Portal: Create and Print Guest A/C

Page 54: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107BRKAGG-201614498_04_2008_c2

Sponsor Portal: Guest Report

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108BRKAGG-201614498_04_2008_c2

Agenda

Guest Access Drivers and Requirements

Guest Access in the Campus1. Access Control

2. Path Isolation

3. Services Edge

Unified Wired and Wireless Guest Access

Cisco NAC Guest Server

Guest Access Use Cases

Q&A

Page 55: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109BRKAGG-201614498_04_2008_c2

Guest Access Use Case 1Wireless-Only Solution

Access controlWireless clients associating with “guest’ SSIDTraffic LWAPP encapsulated between APs and centralized controllers

Path isolationEoIP tunnels statically built between edge and anchor controllers

Services edgeNetwork and web-authentication services offered on the anchor WLAN controller

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110BRKAGG-201614498_04_2008_c2

Guest Access Use Case 2Integrated Wired + Wireless Solution

Access controlWired clients

Guest VLAN statically Dynamically (802.1x Guest VLAN or Auth-Failed VLAN)

Wireless clients Associating with “guest” SSIDTraffic bridged locally on a guest VLAN (standalone AP model) or tunneled via LWAPP to centralized controllers

Path isolationUse of distributed ACLsVRF-Lite and GRE tunnelsVRF-Lite End-to-End

Services edgeNetwork and web-authentication services provided by an in-band appliance

Page 56: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKAGG-201614498_04_2008_c2

Guest Access Use Case 3“Hybrid” Solution

Access controlWired clients

Assigned to guest VLAN statically or dynamically (guest VLAN or auth-failed VLAN)

Wireless clients Associating with “guest” SSIDTraffic tunneled via LWAPP to centralized controllers

Path isolationWired clients

Distributed ACLS or VRF+GREWireless clients

Use of EoIP tunnels for wireless clients

Services edgeNetwork and web-authentication services provided by an in-band appliance

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112BRKAGG-201614498_04_2008_c2

Recommended Reading

802.11 Wireless Network Site Surveying and Installation

Wi-Fi Hotspots

Deploying Guest Access with WLAN Controllers

http://www.cisco.com/en/US/customer/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html

Network Virtualization—Guest and Partner Access Deployment Guide

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080849883.pdf

Available Onsite at the Cisco Company Store

Page 57: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113BRKAGG-201614498_04_2008_c2

Q and A

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114BRKAGG-201614498_04_2008_c2

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

Page 58: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115BRKAGG-201614498_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116BRKAGG-201614498_04_2008_c2

Appendix

Page 59: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117BRKAGG-201614498_04_2008_c2

4.1.185 4.2.112 5.0.148 5.1.78

4.1.185

4.2.112

5.0.148

5.1.78

Remote

Anchor

EoIP Tunnel Combination Between WLC Versions

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118BRKAGG-201614498_04_2008_c2

Path Isolation GRE Support on Cisco Catalyst Switches

GRE switched in HW only with Cisco Catalyst 6500 with PFC3-based supervisors

GRE supported in SW on Cisco Catalyst 6500 with Sup II and Cisco Catalyst 4500

GRE switching not supported on 3xxx switches

Page 60: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119BRKAGG-201614498_04_2008_c2

Access Control802.1x and IP Phones (CDP-Based Approach)

set vlan 2 2/1 set port auxiliaryvlan 2/1 5set port dot1x 5/1 port-control auto

interface FastEthernet0/1switchport access vlan 2switchport mode accessswitchport voice vlan 5dot1x port-control auto

Cisco IOS CatOS

CDP—Cisco Discovery Protocol

Leverage capabilities of multi-VLAN ports Voice VLAN ID (VVID) for voicePort VLAN ID (PVID) for data

Feature available across all the Cisco Catalyst platforms 802.1x authentication enforced only on PVID VLANIP Phone bypasses 802.1x authentication via CDP

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120BRKAGG-201614498_04_2008_c2

Access Control802.1x and IP Phones (Multi-Domain Auth)

Still leveraging the capabilities of multi-VLAN ports

Voice VLAN ID (VVID) for voicePort VLAN ID (PVID) for data

PC and the IP phone are authenticated separately on the same switch portAuthentication can be performed via 802.1x

On voice-VLAN as well as data-VLAN

Supports heterogeneous environments

On voice-VLAN as well as data-VLANIP phones without 802.1X capability require MAC Authentication

CDP not leveraged anymore as 802.1x exemption criteria

interface FastEthernet0/1switchport access vlan 2switchport mode accessswitchport voice vlan 5 dot1x port-control auto dot1x host-mode multi-domain

Cisco IOS

Page 61: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121BRKAGG-201614498_04_2008_c2

Access ControlHow to Share the Port Behind the IP Phone

No Link Down Event Happening on the Switch Port when a Client Disconnects from the PC Port Behind a Phone

The Problem

Determine the Conditions for Successfully Sharing the PC Port Between Internal Employees and Guests

The Goal

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122BRKAGG-201614498_04_2008_c2

Access ControlIP Phone and 802.1x Guest VLAN

Multi-VLAN switch port configured for 802.1x guest VLAN and auth-fail VLAN

IP phone bypasses 802.1x authentication (via CDP) and is deployed into the voice VLAN (VVID)

After three unanswered EAP-Identity-Requests the 802.1x guest VLAN is deployed as data VLAN (PVID)

A guest not equipped with 802.1x supplicant can plug in and have immediate access to the guest VLAN

Port Deployed into the Guest VLAN

Page 62: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 123BRKAGG-201614498_04_2008_c2

Access ControlRemoving the Switch Port from Guest VLAN

*Note: This Holds True if the 802.1x Supplicant Is Able to Send EAPOL-Start Frames; if Not, the Port Would Remain Configured in the Guest VLAN

Client equipped with 802.1x supplicant connects and restarts the 802.1x authentication*

Switch port is removed from the guest VLAN

An employee would succeed the auth process and get access to all the internal network resources

A 802.1x-enabled guest would fail the auth process and be deployed into the auth-failed VLAN

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124BRKAGG-201614498_04_2008_c2

Access ControlClient Disconnecting from IP Phone

An Illegitimate User Can Now Gain Access to the Port by Spoofing the Authenticated MAC Address, and Bypass

802.1x Completely—Security Hole!!!

6

If a Legitimate User Tries to Gain Access, Assuming that the MAC Address Is Different, the Switch

May Treat the Event as a Security Violation and Disable the Port

Also the Phone May Get Disconnected!!!

Page 63: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 125BRKAGG-201614498_04_2008_c2

Access ControlIP Phones Capable of Sending EAPOL-Logoff

*Note: This Holds True if the Switches Run Cisco IOS Code and the Global Command, “dot1x guest-vlan supplicant” Is Configured

Client disconnects from the port behind the IP phone

IP phone detects a link-down event on the PC port and sends an EAPOL-Logoff message on behalf of the client

Receipt of the EAPOL-Logoff message would restart the 802.1x authentication process on the switch port

After three unanswered EAP-Identity-Requests the port is again deployed into the guest VLAN (back to initial condition)*

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 126BRKAGG-201614498_04_2008_c2

Access ControlConditions to Share the Port Behind the IP Phone

1. 802.1x supplicant is able to send EAPOL-start frames (not default Microsoft-client behavior)

2. IP phones have proxy EAPOL-logoff capabilitiesFirmware release 7.2(2) for 7940-7960

Firmware release 7.0(1) for 7970

All firmware releases for 7911G

Switches are running Cisco IOS code and the “dot1x guest-vlan supplicant” global command is configured

Note: This is a hidden command in the latest Cisco IOS SW releases

Page 64: Designing Guest Access with the Cisco Unified Wireless Network

© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 127BRKAGG-201614498_04_2008_c2

Acronyms

VPN—Virtual Private NetworkACL—Access Control ListACE—Access Control EntriesSSID—Service Set IdentifierMPLS—Multiprotocol Label SwitchingDHCP—Dynamic Host Configuration ProtocolDNS—Dynamic Name ServicesEAP—Extensible Authentication ProtocolEAPoL—EAP over LANAAA—Authentication, Authorization and AccountingRADIUS—Remote Authentication Dial-In User Service CDP—Cisco Discovery ProtocolMDA—Multi Domain AuthenticationIBNS—Identity-Based Networking Services

WLAN—Wireless LANAP—Access PointWLC—WLAN ControllerLWAPP—Lightweight Access Point ProtocolQoS—Quality of ServiceVRF—Virtual Routing/ ForwardingGRE—Generic Routing EncapsulationmGRE—Multipoint GREIGP—Interior Gateway ProtocolEIGRP—Enhanced Interior Gateway Routing Protocol OSPF—Open Shortest Path First WAN—Wide Area NetworkSVI—Switched Virtual Interface EoIP—Ethernet over IP