Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
BRKEWN-2016
Designing Unified Guest Access, Wired and Wireless
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 2
Housekeeping
We value your feedback—don't forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a ‘non-smoking’ venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 4
Agenda
Overview: Guest Access as a Supplementary User Authentication
Wireless Guest Access Control and Path Isolation
Wired Guest Access Control and Path Isolation
Guest Authentication Portal
Guest Provisioning
Monitoring and Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKEWN-2016_c1
Guest Access OverviewEvolution to a Supplementary User Authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 6
SiSi
SiSi
Data Center
Corporate LAN
Wireless LAN
DMZ
Enterprise Network
PublicInternet
Contractors
Consultant
Partners
Employees
Unknown or Guest
WAN
Several Access Methods, Numerous
Profiles
BusinessPartners
RemoteSite
Borderless Network Context
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 7
Guest Access Components
Guest
Customizable Login Page
SponsoredGuest Credentials
Existing Credential Stores
Parity forWired / WLAN
Centralized WebPage Management
Enterprise Directory
NAC Guest Server
Employee
FlexibleAccess Policies
ACS 5.1
Integrated Access Authentication
Centralized Accounting
802.1X/MABCompatibility
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 8
SSC
Employee(bad credential)
When to Use Web-Authentication?
802.1X
SSC
Employee
802.1XManaged 802.1X-devices
Known users
MAB(mac-address bypass)
Managed devices
Web AuthUsers without 802.1X devices
Users with Bad credentials
Guest
Web Auth is a supplementary authentication methodMost useful when users can’t perform or pass 802.1X
Primary Use Case: Guest AccessSecondary Use Case: Employee who fails 802.1X
WiFi AP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKEWN-2016_c1
Wireless Guest Access Control and Path Isolation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 10
Guest Access Control
LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)
Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs
Control and data traffic tunneled to the controller via CAPWAP: data uses UDP 5247 control uses UDP 5246
Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID
Traffic isolation provided by VLANs is valid up to the switch where the controller is connected
Campus CoreLWAPP/CAPWAP
LWAPP/CAPWAP
WiSM WLAN Controller
Guest Emp Guest Emp
WirelessVLANs
Cisco WLAN Controller Deployments
CAPWAP—Control And Provisioning of Wireless Access Points
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 11
Path Isolation
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers
Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN
No need to define the guest VLANs on the switches connected to the remote controllers
Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels
Redundant EoIP tunnels to the Anchor WLC
2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
Wireless LANController
Cisco ASA Firewall
Guest
LWAPP/CAPWAP
EoIP “Guest Tunnel”
Internet
Guest
DMZ or Anchor Wireless Controller
WLAN Controller Deployments with EoIP Tunnel
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 12
Guest Path Isolation
Open ports in both directions for:
EoIP packets IP protocol 97
Mobility UDP Port 16666 (non-secured) or 16667 (secured IPSec tunnel)
Inter-Controller CAPWAP (rel 5.0, 6.0, 7.0) Data/Control Traffic UDP 5247/5246
Inter-Controller LWAPP (before rel 5.0 ) Data/Control Traffic UDP 12222/12223
Optional management/operational protocols:SSH/Telnet TCP Port 22/23TFTP UDP Port 69NTP UDP Port 123SNMP UDP Ports 161 (gets and sets) and 162 (traps)HTTPS/HTTP TCP Port 443/80Syslog TCP Port 514RADIUS Auth/Account UDP Port 1812 and 1813
Mustbe Open!
Firewall Ports and Protocols
Do NOTOpen!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 13
Guest Path Isolation Using VRF
Virtual Routing/Forwarding (VRF) is the L3 virtualization used in Enterprise Campus networks
Guest isolation is done by dedicated VRF instances
Campus Virtualization
802.1q, GRE, LSP,Physical Int, Others
802.1q or Others
GlobalLogical or Physical Int(Layer 3)
Logical or Physical Int(Layer 3)
Employee VRF
Guest VRF
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 14
Guest Path Isolation Using VRF
CAPWAP path isolation at access layer
L2 path isolation between WLC and default gateway
L3 VRF isolation from WLC to firewall guest DMZ interface
L3 Switches with VRF
Cisco ASA Firewall
Internet
CorporateAccess Layer
Corporate Intranet
Inside
Outside
Guest DMZ
Guest VRF
Global
Employee VRF
Guest VRF
Guest Provisioning
Wireless LANController
CAPWAP
Wireless Guest
Isolated L2 VLAN
WLC and VRF Virtualization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKEWN-2016_c1
Wired Guest Access Control and Path Isolation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 17
Wired Guest Access
Wired Guest Access Enforcement Point can be delivered in two different locations :Web Authentication on Catalyst Switches
Wired Guest Access Feature on Wireless LAN Controllers
Wired Guest Catalyst Web Auth
802.1xGuest VLAN Failover
Open (guest) VLAN
WLC WiredGuest Access
@
Wired GuestEnforcement Point
L3 Path Isolation
L2 Path Isolation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 18
SwitchDHCP/DNS AAA Server
•Multiple Triggers•Single Port Config•Mostly Flex-auth
•802.1X Timeout•802.1X Failure•MAB Failure
1
Port Enabled,Pre-Auth ACL Applied
2
Host Acquires IP Address, Triggers Session State3
Host Opens Browser
Login Page
Host Sends Password4
Switch Queries AAA ServerAAA Server Returns Policy
Serverauthorizes user5
Switch Applies New ACL Policy 6
•Access VLAN only•Pre-Auth ACL must permit DHCP, DNS•ACL applies to port -> phones must use MDA
DHCP, ARP trigger State
Use Web Auth AAA Fail Policy for AAA outages
VLAN assignment not supported
•IP HTTP (Secure-)Server Enabled•User May be Prompted for Cert Trust
Wired (Guest) Access Basic Operation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 19
Wired Guest L3 Path Isolation with VRF
Access using VLAN Isolation
Web Authentication by Catalyst switches
Wired Guest Isolation with VRF for L3 Isolation L3 Switches with VRF
Cisco ASA Firewall
Wired Guest
Isolated L2 VLAN
Internet
CorporateAccess Layer
Corporate Intranet
Inside
Outside
Guest DMZ
Guest VRF
Global
Employee VRF
Guest VRF
Guest Provisioning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 20
WLC Wired Guest Access
Wired Guest ports provided in designated location and plugged into an Access Switch
The configuration on the Access switch puts these ports into wired guest – layer 2 VLAN
On a single WLAN Controller the Guest VLAN will be trunked into WLC
On a multi controller deploymentwith Auto Anchor mode the guestVLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller
Wired Guest Access by Wireless LAN Controllers
Wireless LANController
DMZ or Anchor Wireless LANController
Cisco ASA Firewall
Wired Guest
Isolated L2 VLAN
EoIP Tunnel
Internet
Corporate Intranet
Wireless Guest
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 21
WLC Wired Guest Access
Five guest LANs for wired guest access are supported
Admin can create wired guest VLANs on the WLC and associate it with the guest LAN
Web-auth is the default security on a wired guest LAN, but open and web pass-thru can also be used
No L2 security like 802.1x is supported
Multicast and broadcast traffic are droppedon wired guest VLANs to reduce the load on the overall network
Wired guest access is supported on a single guest WLC or on a Anchor-Foreign Guest WLC scenario
Deployment Requirements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 22
Architecture Summary
Wireless is the preferred Guest Access technology because it provides no physical connectivity to corporate network
Wired Guest Access can be delivered by Catalyst Switches or Wireless LAN Controller
Anchor Controller in Guest DMZ allow for full Path Isolation from Access Point to Guest DMZ
VRF can be used for L3 Guest Isolation
Cisco ASA Firewall provides Internet access security and advanced security features for Guest control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKEWN-2016_c1
Guest Services Portal
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 24
Guest Authentication Portal
Wireless and Wired Guest Authentication Portal is available in four modes:
Internal (Default Web Authentication Pages)
Customized (Downloaded Customized Web Pages)
External Using NAC Guest Server
External (Re-directed to external server)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 25
Internal Web Portal
Wireless guest user associates to the guest SSID
Initiates a browser connection to any website
Web login page will displayed
Welcome Text
Fixed Text
Wireless Guest Authentication Portal
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 26
Wireless Guest Authentication Portal
Create your own Guest Access Portal web pages Upload the customized web page to the WLC Configure the WLC to use “customizable web portal” Customized WebAuth bundle can contain
22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages (in WCS 5.0 and up )
22 login successful pages (in WCS 5.0 and up)
Customizable Web Portal
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 27
Wired Guest Authentication Portal
Wired Auth-Proxy Banner
Configurable Welcome Text from IOS config
Catalyst Switches Internal Web Portal
Fixed Text
Welcome Text
(config)#ip admission auth-proxy-banner http ^C Here is what the auth-proxy-banner looks like ^C
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 28
Wired Guest Authentication Portal
Configurable HTML pages on bootflash: 4 Pages / 8KB each : login, success, expired, failure
Catalyst Switches Customizable Web Portal
Completely Customizable
Images must be embedded or external
4 files, 8KB max each(config)#ip admission proxy http login expired page file bootflash:expired.html(config)#ip admission proxy http login page file bootflash:login.html(config)#ip admission proxy http success page file bootflash:success.html(config)#ip admission proxy http failure page file bootflash:fail.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 29
Centralized Wireless and Wired Guest Portal
Multi-function standalone appliance
Customizable hotspot hosting
Sponsored guest access provisioning, verification, management
NAC Guest Server (NGS)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 30
Wireless Guest
1) Administrator Creates WLAN Login Page on NGS
2) Wireless Guest Opens Web browser
3) Web traffic is intercepted by Wireless LAN Controller and redirected to Guest Server.
4) Guest Server returns centralized login page
(1)(2)
(4)AP WLCNGS
(3)
Redirect
Centralized Login Page
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 31
Wired Guest
1) Administrator Creates Wired Login Page on NGS
2) Wired guest opens Web browser
3) Web traffic is intercepted by switch and redirected to Guest Server.
4) Guest Server returns centralized login page
(1)(2)
(4)Switch
(3)
Redirect
Looks Exactly the Same As Wireless
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 32
Authentication and Authorization
1) Administrator Creates Wired Login Page on NGS
2) Wired guest opens Web browser
3) Web traffic is intercepted by switch and redirected to Guest Server.
4) Guest Server returns centralized login page
5) Guest submits credentials to switch
6) Switch authenticates credentials & controls access(1)
(2)
(4)Switch NGS
(3)
(5)POST to switch:username, pwd
AuthenticationAccess Control
(6)
Still Local
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKEWN-2016_c1
Guest Services Provisioning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 34
Requirements for Guest Provisioning
Might be performed by non IT personal
Must deliver basic features, but might also require advanced features:
Duration
Start/end time
Bulk provisioning, …
Provisioning strategies :Lobby ambassador
Employees
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 35
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness
CiscoWireless LAN Control
Basic Provisioning
CiscoWireless Control System
Advanced Provisioning
CiscoNAC Guest Server
Dedicated Provisioning
Customer Server
Customized ProvisioningIncluded in Cisco Wireless LAN Solution
Additional CiscoProduct
CustomerDevelopment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 36
Guest Provisioning Service : WLC
Lobby Ambassador accounts can be createddirectly on Wireless LAN Controllers
Lobby Ambassadors have limited guest feature and must create the user directly on WLC:
Create Guest User—up to 2048 entries
Set time limitation—up to 30 day
Set Guest SSID
Set QoS Profile
Cisco Wireless LAN Controller
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 37
Guest Provisioning Service : WCS
WCS offer specific Lobby Ambassadoraccess for Guest management only
Lobby Ambassador accounts can be created directlyon WCS, or be defined on external RADIUS/TACACS+ servers
Lobby Ambassadors on WCS are able to createguest accounts with advanced features like:
Start/end time and date, duration
Bulk provisioning
Set QoS Profiles
Set access based on WLC, Access Points, or location
Cisco Wireless Control System
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 38
Add a Guest User with WCSGuest Provisioning Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 39
Print/E-Mail Details of Guest UserGuest Provisioning Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 40
Schedule a Guest UserConfigure Controller Template > Schedule Guest User
Guest Provisioning Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 41
Guest Provisioning Service : NGS
Dedicated external server
Complete provisioning, accounting, reporting, and billing services
Advanced feature full sponsor and guest user policies
Large guest account base using RADIUS
Easy integration with clean access and WLC
Email and SMS notifications
Sponsor authentication through local database, LDAP or active directory
Cisco NAC Guest Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 42
Cisco NAC Guest Server
1. IT Administrator configures NGS:
Sponsor or LA access rights
Declare Guest Anchor WLC in NGS
Configure security/policy rules
2. IT Admin configures WLCto use Cisco NGS:
Define Guest SSID
Associate NGS as RADIUS ServerCorporateNetwork
Wireless LAN ControllerPolicy EnforcementGuest Web Portal
GuestVisitor, Contractor, Customer
NAC Guest ServerLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting
Lobby AmbassadorEmployee Sponsor
Internet
IT AdminNetwork/Solution Mgt
1
2
NGS Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 43
Cisco NAC Guest Server
Admin portal is required to configure the device
Admin Interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 44
Cisco NAC Guest Server
The sponsor account can be a local user inNGS, LDAP server or Active Directory Account
Sponsor Authentication: Local Account/AD
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 45
Cisco NAC Guest Server
Username Policy1. E-mail address2. First and last name3. Alphabetic, numeric
and special characters
Password Policy 1. Alphabetic characters
2. Numeric characters
3. Special characters
Guest Policy: Username/Password Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 46
Cisco NAC Guest Server
Add the WLC that performs WebAuth as a RADIUS Client in the NGS
NGS uses standard RADIUS Attribute 27 (session-timeout)
WLC Integration: Guest Server Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 47
Cisco NAC Guest Server
Sponsor will have three ways to inform guest 1. Printing the details
2. Sending the details via e-mail
3. Sending the details via SMS
Informing Guest
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 48
Sponsor Portal: Create and Print Guest Access CredentialsCisco NAC Guest Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 49
Cisco NAC Guest Server
1. Sponsor creates Guest Account through dedicated NGS server
2. Credentials are delivered to Guest by print, email or SMS
3. Guest Authentication on Guest portal
4. RADIUS Request from WLC to Cisco NGS Server
5. RADIUS Response with policies (session timeout, …)
6. RADIUS Accounting with session information (time, login, IP, MAC, …)
7. Traffic can go through
CorporateNetwork
Wireless LAN ControllerPolicy EnforcementGuest Web Portal
GuestVisitor, Contractor, Customer
NAC Guest ServerLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting
Lobby AmbassadorEmployee Sponsor
Internet
RADIUS Requests
1
2
3
4
5
6
7
RADIUSAccounting
Guest User Creation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 50
Lobby Ambassador—Guest Account Creation
Personal Settings
Several Ways to create Guest Accounts
Tools to Manage Guest Accounts
Cisco NAC Guest Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 51BRKEWN-2016_c1
Reporting and Monitoring
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 52
Cisco NAC Guest ServerSponsor Portal: Guest Reports and Logs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 53
Aggregation of Guest Informations
NGS Aggregate Guest Reporting Informations
From WLC (RADIUS Accounting) : login, start/stop time, MAC@, Source IP@
From ASA (syslog) : Destination IP@/ports, URL logging, …
Wireless LANController
DMZ or Anchor Wireless LANControllerCisco ASA
Firewall
Internet
Corporate Intranet
Wireless Guest
NGSGuest Server
Syslog
RADIUS
ntp server 192.168.215.62
policy-map global_policyclass inspection_defaultinspect http
!service-policy global_policy global
logging enablelogging timestamplogging list WebLogging message 304001logging trap WebLogginglogging facility 21logging host inside 192.168.215.16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 54
Guest Activity Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKEWN-2016_c1
Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 56
Guest
SponsoredGuest
Wireless ControlSystem
Wireless LANController
From Wireless Guest Access …
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 57
Guest Parity forWired / WLAN
NGSGuest Server
SponsoredGuest
… to Unified Wired and Wireless Guest Access …
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 58
Active Directory
RADIUSProxy
Guest
Employee
SSC
EmployeeSponsored
Guest
Parity forWired / WLAN
Centralized Policy& Accounting
802.1X/MABCompatibilityEmployee
NGSGuest Server
… to Centralized Policy and Accounting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 59
What We Have Covered…
What a Guest Access Service is made of
The need for a secured infrastructure to supportisolated Guest traffic. Unified Wireless is akey component of this infrastructure.
The Guest Service components are integratedin Cisco Wired and Wireless Solution.
Guest Access is one of the User Access Policy available to Control and Protect enterprise Borderless Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 60
Recommended ReadingBRKEWN-2016
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 61
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Preferred Access points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 62
Check the Recommended Reading brochure for suggested products available at the Cisco Store
Enter to Win a 12-Book Libraryof Your Choice from Cisco Press
Visit the Cisco Store in the World of Solutions, where you will be asked to enter this Session ID code
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 63
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 64BRKEWN-2016_c1
Additional SlidesEvolution to a Supplementary User Authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 65
Authorized Access Non-User Devices
Who is on my network?
Can I manage the risk of using personal PCs?
Common access rights when on-prem, at home, on the road?
Endpoints are healthy?
Can I allow guests Internet-only access?
How do I manage guest access?
Can this work in wireless and wired?
How do I monitor guest activities?
How do I discover non-user devices?
Can I determine what they are?
Can I control their access?
Are they being spoofed?
Guest Access
Access Policy
Challenge in Building an Access Policy in a Borderless Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 66
Why Web Authentication for Guest?
User-based
Familiar
Ubiquitous
Clientless
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKEWN-2016_c1
Additional SlidesLWAPP/CAPWAP Controller Configurations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 68
vlan 2name AP_Mgmt!interface FastEthernet0/1description link to APswitchport access vlan 2switchport mode access
Access Layer Switchvlan 3name Employee_VLAN!vlan 4name Guest_VLAN!interface Vlan3description Employee_VLANip address 10.10.3.1 255.255.255.0!interface Vlan4description Guest_VLANip address 10.10.4.1 255.255.255.0!interface GigabitEthernet1/0/1description Trunk Port to Cisco WLCswitchport trunk encapsulation dot1qswitchport trunk native vlan 2switchport trunk allowed vlan 2-4switchport mode trunkno shutdown
Cisco Catalyst Switch(Connected to WLAN Controller)
No Trunk Between AP and Access Layer Switch, Only AP Mgmt VLAN Defined
SVIs Corresponding to Each SSID Are Defined Here
Guest Access Control WLAN Controller Deployments
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 69
Guest Access Control WLAN Controller Deployments
Create the employee and guest VLAN in the controller
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 70
Guest Access Control WLAN Controller DeploymentsMap the employee/guest WLAN in the controllerto the respective employee/guest VLAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 71BRKEWN-2016_c1
Additional SlidesBuilding the EoIP Tunnel
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 72
Guest Path Isolation
Specify a mobility group for each WLC
Open ports for:Inter-Controller Tunneled Client Data
Inter-Controller Control Traffic
Configure the mobility groups and add the MAC-addressand IP address of the remote WLC
Create identical WLANs on the Remote and Anchor controllers
Create the Mobility Anchor for the Guest WLAN
Modify the timers in the WLCs
Check the status of the Mobility Anchors for the WLAN
Pros
Simple configuration
Overlay solution: no need to modify the network configuration
Cons
Support for wireless and wired (layer-2 adjacent) guest clients only
Limited to WLAN Controllers wireless deployments
Building the EoIP Tunnel
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 73
Guest Path Isolation
Each WLC is part of a mobility group
WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 74
Guest Path Isolation
Configure the mobility groups and add the MAC-addressand IP address of the remote WLCs
WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration
Anchor
Remote
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 76
Create the mobility anchor for the guest WLAN on Remote WLCs
WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
Guest Path Isolation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 77
Create the Mobility Anchor for the guest WLAN on Anchor WLC
WLAN Controller Deployments with EoIP TunnelAnchor Controller Configuration
Guest Path Isolation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 78
Path Isolation
Modify the timers on the Anchor WLCs
WLAN Controller Deployments with EoIP TunnelAnchor Controller
Check the status of the mobility anchors for the WLAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 79
Guest Network Redundancy
Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined
Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive
Once an Anchor WLC failure is detected a DEAUTH is send to the client
Remote WLC will keep on monitoring the Anchor WLC
Under normal conditions round-robin fashion is used to balance clients between Anchor WLCs
Campus Core
EtherIP“Guest Tunnel”
EtherIP“Guest Tunnel”
CAPWAP CAPWAP
Internet
Guest Secure Guest Secure
Secure Secure
WirelessVLANs
Guest VLAN 10.10.60.x/24Management 10.10.80.3
Management10.10.75.2
Management10.10.76.2
F1
A1 A2
Primary Link
Redundant Link
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 80
Path Isolation
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.50.10.26 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.10.51.1 255.255.255.0
!
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667
access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2
!
global (dmz) 1 interface
nat (inside) 1 10.70.0.0 255.255.255.0
static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255
access-group DMZ in interface dmz
Sample Firewall Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 81
Show Mobility Summary
Show Commands
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 82
Show Mobility AnchorShow Mobility Statistics
Show Commands
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 83
Show Commands—Remote andAnchor WLC
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. N/A
AP MAC Address................................... 00:14:1b:59:3f:10
Client State..................................... Associated
Wireless LAN Id.................................. 1
BSSID............................................ 00:14:1b:59:3f:1f
Channel.......................................... 64
IP Address....................................... Unknown
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... 5
Client E2E version............................... No E2E support
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Foreign
Mobility Anchor IP Address....................... 10.70.0.2
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. guest1
AP MAC Address................................... 00:00:00:00:00:00
Client State..................................... Associated
Wireless LAN Id.................................. 2
BSSID............................................ 00:00:00:00:00:01
Channel.......................................... N/A
IP Address....................................... 10.50.10.128
Association Id................................... 0
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.50.10.26
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest
VLAN............................................. 4
Show client detail mac_addressRemote Anchor
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 84BRKEWN-2016_c1
Additional SlidesWLC Wired Guest Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 85
WLC Wired Guest Access
Create a dynamic interface as guest LAN which will be the ingress interface
DHCP server information is not required
DHCP server information is required on the egress dynamic interface
Deployment Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 86
WLC Wired Guest Access Configuration
Create wired WLAN as “Guest LAN” type
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 87
WLC Wired Guest Access Configuration
Assign the Ingress and Egress Interfaces
Ingress interface is the wired guest LAN
Egress interface could be the management or any dynamic interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 88
WLC Wireless and Wired Guest Configuration
Wireless and wired guest WLAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 89BRKEWN-2016_c1
Additional Slides
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 90
Wireless Guest Authentication PortalConfiguring Customized WebAuth with WCS
Download a sample copy of the customized WebAuth page from WCS
Customize the WebAuth page as per your requirements
Upload the newly customized WebAuth page to the Anchor WLC
Campus Core
CAPWAP CAPWAP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 91
Wireless Guest Authentication PortalDesign with Anchor WLC
Upload the customized web page to the Anchor WLC
Customized WebAuth bundle can contain22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages (in WCS 5.0 and up )
22 login successful pages (in WCS 5.0 and up)
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 92BRKEWN-2016_c1
Additional SlidesConfiguring External Web Portal
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 93
Campus Core
CAWAP CAPWAP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
GuestWLC
EternalWeb Server
Wireless Guest Authentication PortalExternal Web Server with WLC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 94
4503-rk2#show run | i login.htmlip auth-proxy proxy http login page file bootflash:login.html
4503-rk2#more login.html<html>
<head><script type="text/javascript">
location.href="https://10.100.10.227:8443/sites/LWA/switch_login.html?redirect_url="+location.href;</script><noscript>
<meta HTTP-EQUIV="REFRESH" content="0;url=https://10.100.10.227:8443/sites/LWA/switch_login.html">
</noscript></head><body>
Redirecting ... continue <a href="https://10.100.10.227:8443/sites/LWA/switch_login.html">here</a> </body>
</html>
Javascript , meta tag or manual redirect
Customized “Magic” Login Page
• File is included in NGS 2.0.2 : /guest/sites/samples/switch_includes• To re-use this file, change “10.100.10.227” to the IP address of your NGS and “LWA” to the
name of your NGS hotspot for wired
Customized Wired PagesDesign Considerations: No Redirect CLI
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 95
Customized Wired PagesSwitch Config
ip device trackingip admission name IP_ADMIN_RULE proxy httpip admission proxy http login page file disk1:login.htmip admission proxy http success page file disk1:success.htmip admission proxy http fail page file disk1:fail.htmip admission proxy http login expired page file disk1:expired.htm!fallback profile WEB_AUTH_PROFILEip access-group PRE_WEBAUTH_POLICY inip admission IP_ADMIN_RULE!dot1x system-auth-control!interface Gigabit 1/0/5switchport mode accessswitchport access vlan 30authentication port-control autoauthentication fallback WEB_AUTH_PROFILEauthentication event fail action next-methoddot1x pae-authenticatordot1x tx-period 5!ip http serverip http secure-server
ip access-list extended PRE_WEBAUTH_POLICYpermit udp any any eq bootpspermit udp any any eq domainpermit tcp any host 10.100.10.227 eq 8443
Make sure to update the “Magic” Login Page with NGS IP address and hotspot name
Permit Traffic to NGS
Everything else is standard Web-Auth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 96BRKEWN-2016_c1
Additional SlidesWCS Lobby Ambassador Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 97
Guest Provisioning Service
User created in WCS with Lobby Ambassador (LA) privilege
Lobby Ambassador user logs into the WCS to create guest user accounts
Lobby Ambassador Feature in WCS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 98
Guest Provisioning Service
Associate the lobby admin with Profile and Location specific information
Lobby Ambassador Feature in WCS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 99
Details About the Guest User(s)Guest Provisioning Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 100
WCS Provisioning Service
1. Lobby Ambassador create Guest Account with policies
2. Guest Account credentials& rules are pushed to WLC
3. Credentials are delivered to Guest by Print or Email with customized Logo
4. Guest Authenticationon Guest portal
5. SNMP Trap with guest login information (MAC@, IP@, …)
6. Traffic can go throughCorporateNetwork
Wireless LAN ControllerPolicy EnforcementGuest Web Portal
GuestVisitor, Contractor, Customer
WCSLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting`
Lobby AmbassadorEmployee Sponsor
Internet
1
2
3
4
5
6
Using Internal DB and Reporting Capabilities