Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web

BRKEWN-2016

Designing Unified Guest Access, Wired and Wireless

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 2

Housekeeping

We value your feedback—don't forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions

Please remember this is a ‘non-smoking’ venue!

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times


Agenda

Overview: Guest Access as a Supplementary User Authentication

Wireless Guest Access Control and Path Isolation

Wired Guest Access Control and Path Isolation

Guest Authentication Portal

Guest Provisioning

Monitoring and Reporting

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKEWN-2016_c1

Guest Access OverviewEvolution to a Supplementary User Authentication


SiSi

SiSi

Data Center

Corporate LAN

Wireless LAN

DMZ

Enterprise Network

PublicInternet

Contractors

Consultant

Partners

Employees

Unknown or Guest

WAN

Several Access Methods, Numerous

Profiles

BusinessPartners

RemoteSite

Borderless Network Context


Guest Access Components

Guest

Customizable Login Page

SponsoredGuest Credentials

Existing Credential Stores

Parity forWired / WLAN

Centralized WebPage Management

Enterprise Directory

NAC Guest Server

Employee

FlexibleAccess Policies

ACS 5.1

Integrated Access Authentication

Centralized Accounting

802.1X/MABCompatibility


SSC

Employee(bad credential)

When to Use Web-Authentication?

802.1X

SSC

Employee

802.1XManaged 802.1X-devices

Known users

MAB(mac-address bypass)

Managed devices

Web AuthUsers without 802.1X devices

Users with Bad credentials

Guest

Web Auth is a supplementary authentication methodMost useful when users can’t perform or pass 802.1X

Primary Use Case: Guest AccessSecondary Use Case: Employee who fails 802.1X

WiFi AP


Wireless Guest Access Control and Path Isolation


Guest Access Control

LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)

Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs

Control and data traffic tunneled to the controller via CAPWAP: data uses UDP 5247 control uses UDP 5246

Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID

Traffic isolation provided by VLANs is valid up to the switch where the controller is connected

Campus CoreLWAPP/CAPWAP

LWAPP/CAPWAP

WiSM WLAN Controller

Guest Emp Guest Emp

WirelessVLANs

Cisco WLAN Controller Deployments

CAPWAP—Control And Provisioning of Wireless Access Points


Path Isolation

Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers

Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN

No need to define the guest VLANs on the switches connected to the remote controllers

Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels

Redundant EoIP tunnels to the Anchor WLC

2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC

Wireless LANController

Cisco ASA Firewall

Guest

LWAPP/CAPWAP

EoIP “Guest Tunnel”

Internet

Guest

DMZ or Anchor Wireless Controller

WLAN Controller Deployments with EoIP Tunnel


Guest Path Isolation

Open ports in both directions for:

EoIP packets IP protocol 97

Mobility UDP Port 16666 (non-secured) or 16667 (secured IPSec tunnel)

Inter-Controller CAPWAP (rel 5.0, 6.0, 7.0) Data/Control Traffic UDP 5247/5246

Inter-Controller LWAPP (before rel 5.0 ) Data/Control Traffic UDP 12222/12223

Optional management/operational protocols:SSH/Telnet TCP Port 22/23TFTP UDP Port 69NTP UDP Port 123SNMP UDP Ports 161 (gets and sets) and 162 (traps)HTTPS/HTTP TCP Port 443/80Syslog TCP Port 514RADIUS Auth/Account UDP Port 1812 and 1813

Mustbe Open!

Firewall Ports and Protocols

Do NOTOpen!


Guest Path Isolation Using VRF

Virtual Routing/Forwarding (VRF) is the L3 virtualization used in Enterprise Campus networks

Guest isolation is done by dedicated VRF instances

Campus Virtualization

802.1q, GRE, LSP,Physical Int, Others

802.1q or Others

GlobalLogical or Physical Int(Layer 3)

Logical or Physical Int(Layer 3)

Employee VRF

Guest VRF


Guest Path Isolation Using VRF

CAPWAP path isolation at access layer

L2 path isolation between WLC and default gateway

L3 VRF isolation from WLC to firewall guest DMZ interface

L3 Switches with VRF

Cisco ASA Firewall

Internet

CorporateAccess Layer

Corporate Intranet

Inside

Outside

Guest DMZ

Guest VRF

Global

Employee VRF

Guest VRF

Guest Provisioning


CAPWAP

Wireless Guest

Isolated L2 VLAN

WLC and VRF Virtualization


Wired Guest Access Control and Path Isolation


Wired Guest Access

Wired Guest Access Enforcement Point can be delivered in two different locations :Web Authentication on Catalyst Switches

Wired Guest Access Feature on Wireless LAN Controllers

Wired Guest Catalyst Web Auth

802.1xGuest VLAN Failover

Open (guest) VLAN

WLC WiredGuest Access

@

Wired GuestEnforcement Point

L3 Path Isolation

L2 Path Isolation


SwitchDHCP/DNS AAA Server

•Multiple Triggers•Single Port Config•Mostly Flex-auth

•802.1X Timeout•802.1X Failure•MAB Failure

1

Port Enabled,Pre-Auth ACL Applied

2

Host Acquires IP Address, Triggers Session State3

Host Opens Browser

Login Page

Host Sends Password4

Switch Queries AAA ServerAAA Server Returns Policy

Serverauthorizes user5

Switch Applies New ACL Policy 6

•Access VLAN only•Pre-Auth ACL must permit DHCP, DNS•ACL applies to port -> phones must use MDA

DHCP, ARP trigger State

Use Web Auth AAA Fail Policy for AAA outages

VLAN assignment not supported

•IP HTTP (Secure-)Server Enabled•User May be Prompted for Cert Trust

Wired (Guest) Access Basic Operation


Wired Guest L3 Path Isolation with VRF

Access using VLAN Isolation

Web Authentication by Catalyst switches

Wired Guest Isolation with VRF for L3 Isolation L3 Switches with VRF

Cisco ASA Firewall

Wired Guest

Isolated L2 VLAN

Internet

CorporateAccess Layer

Corporate Intranet

Inside

Outside

Guest DMZ

Guest VRF

Global

Employee VRF

Guest VRF

Guest Provisioning


WLC Wired Guest Access

Wired Guest ports provided in designated location and plugged into an Access Switch

The configuration on the Access switch puts these ports into wired guest – layer 2 VLAN

On a single WLAN Controller the Guest VLAN will be trunked into WLC

On a multi controller deploymentwith Auto Anchor mode the guestVLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller

Wired Guest Access by Wireless LAN Controllers


DMZ or Anchor Wireless LANController

Cisco ASA Firewall

Wired Guest

Isolated L2 VLAN

EoIP Tunnel

Internet

Corporate Intranet

Wireless Guest



Five guest LANs for wired guest access are supported

Admin can create wired guest VLANs on the WLC and associate it with the guest LAN

Web-auth is the default security on a wired guest LAN, but open and web pass-thru can also be used

No L2 security like 802.1x is supported

Multicast and broadcast traffic are droppedon wired guest VLANs to reduce the load on the overall network

Wired guest access is supported on a single guest WLC or on a Anchor-Foreign Guest WLC scenario

Deployment Requirements


Architecture Summary

Wireless is the preferred Guest Access technology because it provides no physical connectivity to corporate network

Wired Guest Access can be delivered by Catalyst Switches or Wireless LAN Controller

Anchor Controller in Guest DMZ allow for full Path Isolation from Access Point to Guest DMZ

VRF can be used for L3 Guest Isolation

Cisco ASA Firewall provides Internet access security and advanced security features for Guest control


Guest Services Portal


Guest Authentication Portal

Wireless and Wired Guest Authentication Portal is available in four modes:

Internal (Default Web Authentication Pages)

Customized (Downloaded Customized Web Pages)

External Using NAC Guest Server

External (Re-directed to external server)


Internal Web Portal

Wireless guest user associates to the guest SSID

Initiates a browser connection to any website

Web login page will displayed

Welcome Text

Fixed Text

Wireless Guest Authentication Portal


Wireless Guest Authentication Portal

Create your own Guest Access Portal web pages Upload the customized web page to the WLC Configure the WLC to use “customizable web portal” Customized WebAuth bundle can contain

22 login pages (16 WLANs , 5 Wired LANs and 1 Global)

22 login failure pages (in WCS 5.0 and up )

22 login successful pages (in WCS 5.0 and up)

Customizable Web Portal


Wired Guest Authentication Portal

Wired Auth-Proxy Banner

Configurable Welcome Text from IOS config

Catalyst Switches Internal Web Portal

Fixed Text

Welcome Text

(config)#ip admission auth-proxy-banner http ^C Here is what the auth-proxy-banner looks like ^C


Wired Guest Authentication Portal

Configurable HTML pages on bootflash: 4 Pages / 8KB each : login, success, expired, failure

Catalyst Switches Customizable Web Portal

Completely Customizable

Images must be embedded or external

4 files, 8KB max each(config)#ip admission proxy http login expired page file bootflash:expired.html(config)#ip admission proxy http login page file bootflash:login.html(config)#ip admission proxy http success page file bootflash:success.html(config)#ip admission proxy http failure page file bootflash:fail.html


Centralized Wireless and Wired Guest Portal

Multi-function standalone appliance

Customizable hotspot hosting

Sponsored guest access provisioning, verification, management

NAC Guest Server (NGS)


Wireless Guest

1) Administrator Creates WLAN Login Page on NGS

2) Wireless Guest Opens Web browser

3) Web traffic is intercepted by Wireless LAN Controller and redirected to Guest Server.

4) Guest Server returns centralized login page

(1)(2)

(4)AP WLCNGS

(3)

Redirect

Centralized Login Page


Wired Guest

1) Administrator Creates Wired Login Page on NGS

2) Wired guest opens Web browser

3) Web traffic is intercepted by switch and redirected to Guest Server.


(1)(2)

(4)Switch

(3)

Redirect

Looks Exactly the Same As Wireless


Authentication and Authorization

1) Administrator Creates Wired Login Page on NGS

2) Wired guest opens Web browser

3) Web traffic is intercepted by switch and redirected to Guest Server.


5) Guest submits credentials to switch

6) Switch authenticates credentials & controls access(1)

(2)

(4)Switch NGS

(3)

(5)POST to switch:username, pwd

AuthenticationAccess Control

(6)

Still Local


Guest Services Provisioning


Requirements for Guest Provisioning

Might be performed by non IT personal

Must deliver basic features, but might also require advanced features:

Duration

Start/end time

Bulk provisioning, …

Provisioning strategies :Lobby ambassador

Employees


Multiple Guest Provisioning Services

Cisco Guest Access Solution support several provisioning tools, with different feature richness

CiscoWireless LAN Control

Basic Provisioning

CiscoWireless Control System

Advanced Provisioning

CiscoNAC Guest Server

Dedicated Provisioning

Customer Server

Customized ProvisioningIncluded in Cisco Wireless LAN Solution

Additional CiscoProduct

CustomerDevelopment


Guest Provisioning Service : WLC

Lobby Ambassador accounts can be createddirectly on Wireless LAN Controllers

Lobby Ambassadors have limited guest feature and must create the user directly on WLC:

Create Guest User—up to 2048 entries

Set time limitation—up to 30 day

Set Guest SSID

Set QoS Profile

Cisco Wireless LAN Controller


Guest Provisioning Service : WCS

WCS offer specific Lobby Ambassadoraccess for Guest management only

Lobby Ambassador accounts can be created directlyon WCS, or be defined on external RADIUS/TACACS+ servers

Lobby Ambassadors on WCS are able to createguest accounts with advanced features like:

Start/end time and date, duration

Bulk provisioning

Set QoS Profiles

Set access based on WLC, Access Points, or location

Cisco Wireless Control System


Add a Guest User with WCSGuest Provisioning Service


Print/E-Mail Details of Guest UserGuest Provisioning Service


Schedule a Guest UserConfigure Controller Template > Schedule Guest User

Guest Provisioning Service


Guest Provisioning Service : NGS

Dedicated external server

Complete provisioning, accounting, reporting, and billing services

Advanced feature full sponsor and guest user policies

Large guest account base using RADIUS

Easy integration with clean access and WLC

Email and SMS notifications

Sponsor authentication through local database, LDAP or active directory

Cisco NAC Guest Server



1. IT Administrator configures NGS:

Sponsor or LA access rights

Declare Guest Anchor WLC in NGS

Configure security/policy rules

2. IT Admin configures WLCto use Cisco NGS:

Define Guest SSID

Associate NGS as RADIUS ServerCorporateNetwork

Wireless LAN ControllerPolicy EnforcementGuest Web Portal

GuestVisitor, Contractor, Customer

NAC Guest ServerLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting

Lobby AmbassadorEmployee Sponsor

Internet

IT AdminNetwork/Solution Mgt

1

2

NGS Configuration



Admin portal is required to configure the device

Admin Interface



The sponsor account can be a local user inNGS, LDAP server or Active Directory Account

Sponsor Authentication: Local Account/AD



Username Policy1. E-mail address2. First and last name3. Alphabetic, numeric

and special characters

Password Policy 1. Alphabetic characters

2. Numeric characters

3. Special characters

Guest Policy: Username/Password Policy



Add the WLC that performs WebAuth as a RADIUS Client in the NGS

NGS uses standard RADIUS Attribute 27 (session-timeout)

WLC Integration: Guest Server Configuration



Sponsor will have three ways to inform guest 1. Printing the details

2. Sending the details via e-mail

3. Sending the details via SMS

Informing Guest


Sponsor Portal: Create and Print Guest Access CredentialsCisco NAC Guest Server



1. Sponsor creates Guest Account through dedicated NGS server

2. Credentials are delivered to Guest by print, email or SMS

3. Guest Authentication on Guest portal

4. RADIUS Request from WLC to Cisco NGS Server

5. RADIUS Response with policies (session timeout, …)

6. RADIUS Accounting with session information (time, login, IP, MAC, …)

7. Traffic can go through

CorporateNetwork



NAC Guest ServerLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting


Internet

RADIUS Requests

1

2

3

4

5

6

7

RADIUSAccounting

Guest User Creation


Lobby Ambassador—Guest Account Creation

Personal Settings

Several Ways to create Guest Accounts

Tools to Manage Guest Accounts



Reporting and Monitoring


Cisco NAC Guest ServerSponsor Portal: Guest Reports and Logs


Aggregation of Guest Informations

NGS Aggregate Guest Reporting Informations

From WLC (RADIUS Accounting) : login, start/stop time, MAC@, Source IP@

From ASA (syslog) : Destination IP@/ports, URL logging, …


DMZ or Anchor Wireless LANControllerCisco ASA

Firewall

Internet

Corporate Intranet

Wireless Guest

NGSGuest Server

Syslog

RADIUS

ntp server 192.168.215.62

policy-map global_policyclass inspection_defaultinspect http

!service-policy global_policy global

logging enablelogging timestamplogging list WebLogging message 304001logging trap WebLogginglogging facility 21logging host inside 192.168.215.16


Guest Activity Reporting


Summary


Guest

SponsoredGuest

Wireless ControlSystem


From Wireless Guest Access …


Guest Parity forWired / WLAN

NGSGuest Server

SponsoredGuest

… to Unified Wired and Wireless Guest Access …


Active Directory

RADIUSProxy

Guest

Employee

SSC

EmployeeSponsored

Guest

Parity forWired / WLAN

Centralized Policy& Accounting

802.1X/MABCompatibilityEmployee

NGSGuest Server

… to Centralized Policy and Accounting


What We Have Covered…

What a Guest Access Service is made of

The need for a secured infrastructure to supportisolated Guest traffic. Unified Wireless is akey component of this infrastructure.

The Guest Service components are integratedin Cisco Wired and Wireless Solution.

Guest Access is one of the User Access Policy available to Control and Protect enterprise Borderless Network


Recommended ReadingBRKEWN-2016


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

http://www.ciscolivevirtual.com/�


Check the Recommended Reading brochure for suggested products available at the Cisco Store

Enter to Win a 12-Book Libraryof Your Choice from Cisco Press

Visit the Cisco Store in the World of Solutions, where you will be asked to enter this Session ID code



Additional SlidesEvolution to a Supplementary User Authentication


Authorized Access Non-User Devices

Who is on my network?

Can I manage the risk of using personal PCs?

Common access rights when on-prem, at home, on the road?

Endpoints are healthy?

Can I allow guests Internet-only access?

How do I manage guest access?

Can this work in wireless and wired?

How do I monitor guest activities?

How do I discover non-user devices?

Can I determine what they are?

Can I control their access?

Are they being spoofed?

Guest Access

Access Policy

Challenge in Building an Access Policy in a Borderless Network


Why Web Authentication for Guest?

User-based

Familiar

Ubiquitous

Clientless


Additional SlidesLWAPP/CAPWAP Controller Configurations


vlan 2name AP_Mgmt!interface FastEthernet0/1description link to APswitchport access vlan 2switchport mode access

Access Layer Switchvlan 3name Employee_VLAN!vlan 4name Guest_VLAN!interface Vlan3description Employee_VLANip address 10.10.3.1 255.255.255.0!interface Vlan4description Guest_VLANip address 10.10.4.1 255.255.255.0!interface GigabitEthernet1/0/1description Trunk Port to Cisco WLCswitchport trunk encapsulation dot1qswitchport trunk native vlan 2switchport trunk allowed vlan 2-4switchport mode trunkno shutdown

Cisco Catalyst Switch(Connected to WLAN Controller)

No Trunk Between AP and Access Layer Switch, Only AP Mgmt VLAN Defined

SVIs Corresponding to Each SSID Are Defined Here

Guest Access Control WLAN Controller Deployments


Guest Access Control WLAN Controller Deployments

Create the employee and guest VLAN in the controller


Guest Access Control WLAN Controller DeploymentsMap the employee/guest WLAN in the controllerto the respective employee/guest VLAN


Additional SlidesBuilding the EoIP Tunnel



Specify a mobility group for each WLC

Open ports for:Inter-Controller Tunneled Client Data

Inter-Controller Control Traffic

Configure the mobility groups and add the MAC-addressand IP address of the remote WLC

Create identical WLANs on the Remote and Anchor controllers

Create the Mobility Anchor for the Guest WLAN

Modify the timers in the WLCs

Check the status of the Mobility Anchors for the WLAN

Pros

Simple configuration

Overlay solution: no need to modify the network configuration

Cons

Support for wireless and wired (layer-2 adjacent) guest clients only

Limited to WLAN Controllers wireless deployments

Building the EoIP Tunnel



Each WLC is part of a mobility group

WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration



Configure the mobility groups and add the MAC-addressand IP address of the remote WLCs

WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration

Anchor

Remote


Create the mobility anchor for the guest WLAN on Remote WLCs

WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration



Create the Mobility Anchor for the guest WLAN on Anchor WLC

WLAN Controller Deployments with EoIP TunnelAnchor Controller Configuration



Path Isolation

Modify the timers on the Anchor WLCs

WLAN Controller Deployments with EoIP TunnelAnchor Controller

Check the status of the mobility anchors for the WLAN


Guest Network Redundancy

Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined

Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive

Once an Anchor WLC failure is detected a DEAUTH is send to the client

Remote WLC will keep on monitoring the Anchor WLC

Under normal conditions round-robin fashion is used to balance clients between Anchor WLCs

Campus Core

EtherIP“Guest Tunnel”

EtherIP“Guest Tunnel”

CAPWAP CAPWAP

Internet

Guest Secure Guest Secure

Secure Secure

WirelessVLANs

Guest VLAN 10.10.60.x/24Management 10.10.80.3

Management10.10.75.2

Management10.10.76.2

F1

A1 A2

Primary Link

Redundant Link


Path Isolation

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.50.10.26 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.10.51.1 255.255.255.0

!

access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666

access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667

access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2

!

global (dmz) 1 interface

nat (inside) 1 10.70.0.0 255.255.255.0

static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255

access-group DMZ in interface dmz

Sample Firewall Configuration


Show Mobility Summary

Show Commands


Show Mobility AnchorShow Mobility Statistics

Show Commands


Show Commands—Remote andAnchor WLC

(Cisco Controller) >show client detail 00:40:96:ad:0d:1b

Client MAC Address............................... 00:40:96:ad:0d:1b

Client Username ................................. N/A

AP MAC Address................................... 00:14:1b:59:3f:10

Client State..................................... Associated

Wireless LAN Id.................................. 1

BSSID............................................ 00:14:1b:59:3f:1f

Channel.......................................... 64

IP Address....................................... Unknown

Association Id................................... 1

Authentication Algorithm......................... Open System

Reason Code...................................... 0

Status Code...................................... 0

Session Timeout.................................. 0

Client CCX version............................... 5

Client E2E version............................... No E2E support

Mirroring........................................ Disabled

QoS Level........................................ Silver

Mobility State................................... Export Foreign

Mobility Anchor IP Address....................... 10.70.0.2

Mobility Move Count.............................. 0

Security Policy Completed........................ Yes

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

NPU Fast Fast Notified........................... Yes

Policy Type...................................... N/A

Encryption Cipher................................ None

(Cisco Controller) >show client detail 00:40:96:ad:0d:1b

Client MAC Address............................... 00:40:96:ad:0d:1b

Client Username ................................. guest1

AP MAC Address................................... 00:00:00:00:00:00

Client State..................................... Associated

Wireless LAN Id.................................. 2

BSSID............................................ 00:00:00:00:00:01

Channel.......................................... N/A

IP Address....................................... 10.50.10.128

Association Id................................... 0

Authentication Algorithm......................... Open System

Reason Code...................................... 0

Status Code...................................... 0

Session Timeout.................................. 0

Mirroring........................................ Disabled

QoS Level........................................ Silver

Mobility State................................... Export Anchor

Mobility Foreign IP Address...................... 10.50.10.26

Mobility Move Count.............................. 1

Security Policy Completed........................ Yes

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

NPU Fast Fast Notified........................... Yes

Policy Type...................................... N/A

Encryption Cipher................................ None

Management Frame Protection...................... No

EAP Type......................................... Unknown

Interface........................................ guest

VLAN............................................. 4

Show client detail mac_addressRemote Anchor


Additional SlidesWLC Wired Guest Configuration



Create a dynamic interface as guest LAN which will be the ingress interface

DHCP server information is not required

DHCP server information is required on the egress dynamic interface

Deployment Steps


WLC Wired Guest Access Configuration

Create wired WLAN as “Guest LAN” type


WLC Wired Guest Access Configuration

Assign the Ingress and Egress Interfaces

Ingress interface is the wired guest LAN

Egress interface could be the management or any dynamic interface


WLC Wireless and Wired Guest Configuration

Wireless and wired guest WLAN


Additional Slides


Wireless Guest Authentication PortalConfiguring Customized WebAuth with WCS

Download a sample copy of the customized WebAuth page from WCS

Customize the WebAuth page as per your requirements

Upload the newly customized WebAuth page to the Anchor WLC

Campus Core

CAPWAP CAPWAP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WCS


Wireless Guest Authentication PortalDesign with Anchor WLC

Upload the customized web page to the Anchor WLC

Customized WebAuth bundle can contain22 login pages (16 WLANs , 5 Wired LANs and 1 Global)

22 login failure pages (in WCS 5.0 and up )

22 login successful pages (in WCS 5.0 and up)

Campus Core

LWAPP LWAPP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

Guest

WCS


Additional SlidesConfiguring External Web Portal


Campus Core

CAWAP CAPWAP

Internet

Guest Emp Guest Emp

Emp Emp

WirelessVLANs

GuestWLC

EternalWeb Server

Wireless Guest Authentication PortalExternal Web Server with WLC


4503-rk2#show run | i login.htmlip auth-proxy proxy http login page file bootflash:login.html

4503-rk2#more login.html<html>

<head><script type="text/javascript">

location.href="https://10.100.10.227:8443/sites/LWA/switch_login.html?redirect_url="+location.href;</script><noscript>

<meta HTTP-EQUIV="REFRESH" content="0;url=https://10.100.10.227:8443/sites/LWA/switch_login.html">

</noscript></head><body>

Redirecting ... continue <a href="https://10.100.10.227:8443/sites/LWA/switch_login.html">here</a> </body>

</html>

Javascript , meta tag or manual redirect

Customized “Magic” Login Page

• File is included in NGS 2.0.2 : /guest/sites/samples/switch_includes• To re-use this file, change “10.100.10.227” to the IP address of your NGS and “LWA” to the

name of your NGS hotspot for wired

Customized Wired PagesDesign Considerations: No Redirect CLI


Customized Wired PagesSwitch Config

ip device trackingip admission name IP_ADMIN_RULE proxy httpip admission proxy http login page file disk1:login.htmip admission proxy http success page file disk1:success.htmip admission proxy http fail page file disk1:fail.htmip admission proxy http login expired page file disk1:expired.htm!fallback profile WEB_AUTH_PROFILEip access-group PRE_WEBAUTH_POLICY inip admission IP_ADMIN_RULE!dot1x system-auth-control!interface Gigabit 1/0/5switchport mode accessswitchport access vlan 30authentication port-control autoauthentication fallback WEB_AUTH_PROFILEauthentication event fail action next-methoddot1x pae-authenticatordot1x tx-period 5!ip http serverip http secure-server

ip access-list extended PRE_WEBAUTH_POLICYpermit udp any any eq bootpspermit udp any any eq domainpermit tcp any host 10.100.10.227 eq 8443

Make sure to update the “Magic” Login Page with NGS IP address and hotspot name

Permit Traffic to NGS

Everything else is standard Web-Auth


Additional SlidesWCS Lobby Ambassador Configuration



User created in WCS with Lobby Ambassador (LA) privilege

Lobby Ambassador user logs into the WCS to create guest user accounts

Lobby Ambassador Feature in WCS



Associate the lobby admin with Profile and Location specific information

Lobby Ambassador Feature in WCS


Details About the Guest User(s)Guest Provisioning Service


WCS Provisioning Service

1. Lobby Ambassador create Guest Account with policies

2. Guest Account credentials& rules are pushed to WLC

3. Credentials are delivered to Guest by Print or Email with customized Logo

4. Guest Authenticationon Guest portal

5. SNMP Trap with guest login information (MAC@, IP@, …)

6. Traffic can go throughCorporateNetwork



WCSLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting`


Internet

1

2

3

4

5

6

Using Internal DB and Reporting Capabilities

Documents

Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web