Académique Documents
Professionnel Documents
Culture Documents
Presentation_ID
Cisco Public
BRKAGG-2016
Cisco Public
Agenda
Introduction
Guest Access Service Requirements Deploying Secured Wireless Network supporting Wireless and Wired Guest Access
BRKAGG-2016
Cisco Public
Guest Access
Customized Access
Contractors/ Consultants
Need restricted internal access
Printers File shares
Guests Users
Internet access only
No need to access internal systems
Specific applications
Device support
Full Access
BRKAGG-2016
Internet Only
6
Usability
Monitoring
Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted Logging and Monitoring Must not require guest desktop software or configuration
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
BRKAGG-2016
Cisco Public
Tunnels or VLANs
Guest
Employee Function
Access Control
Standalone AP Deployments
Use of a 802.1Q trunk for switch to AP connection to carry all the defined VLANs (one VLAN per SSID) Isolation of guest traffic in the L2 domain using a dedicated guest VLAN associated to the guest SSID Traffic isolation provided by VLANs is valid up to the first L3 hop device
Distribution layer (Multilayer Campus design) Access layer (Routed Access Campus design)
Guest
Si
Campus Core
Si
Emp
Guest
Emp
Wireless VLANs
Guest Emp
SSIDs
Guest Emp
SSIDs
10
BRKAGG-2016
Cisco Public
Wireless VLANs
Si
LWAPP/CAPWAP
Campus Core
Si Si
LWAPP/CAPWAP
Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID
Traffic isolation provided by VLANs is valid up to the switch where the controller is connected
LWAPPLightweight Access Point Protocol CAPWAP - Control And Provisioning of Wireless Access Points
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Guest Emp
Guest Emp
11
No Trunk Between AP and Access Layer Switch, Only AP Mgmt VLAN Defined
BRKAGG-2016
Cisco Public
13
BRKAGG-2016
Cisco Public
14
Tunnels or VLANs
Guest
Employee Function
Guest provisioning web portal Guest user intercept web auth portal Audit trails
BRKAGG-2016
15
Access Control
End-to-End Wireless Traffic Isolation
LWAPP/CAPWAP AP
Standalone AP
The fact
VLAN isolation for standalone APs valid up to the first L3 hop Traffic isolation achieved via LWAPP/CAPWAP valid from the AP to the WLAN Controller (centralized deployment is recommended)
LWAPP/CAPWAP
The challenge
How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?
LWAPP/CAPWAP
LWAPP/CAPWAP AP
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
16
Path Isolation
Why Do We Need It for Guest Access?
Extend traffic logical isolation end-to-end over L3 network domain Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, etc.)
Securely transport the guest traffic across the internal network infrastructure
LWAPP/CAP WAP
LWAPP/CAP WAP
BRKAGG-2016
Cisco Public
17
Path Isolation
WLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guests Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Internet
Si
Campus Core
Si Emp Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
18
Path Isolation
WLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guests Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Internet
Guest
Guest 19
Configure the mobility groups and add the MAC-address and IP address of the remote WLC Create identical WLANs on the Remote and Anchor controllers Create the Mobility Anchor for the Guest WLAN Modify the timers in the WLCs Check the status of the Mobility Anchors for the WLAN Pros Simple configuration Overlay solution: no need to modify the network configuration
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Cons Support for wireless and wired (layer2 adjacent) guest clients only Limited to WLAN Controllers wireless deployments
20
BRKAGG-2016
Cisco Public
21
Anchor
Remote
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
22
Remote
Anchor
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
23
BRKAGG-2016
Cisco Public
24
BRKAGG-2016
Cisco Public
25
Path Isolation
WLAN Controller Deployments with EoIP Tunnel Anchor Controller
Modify the timers on the Anchor WLCs
BRKAGG-2016
Cisco Public
26
TFTP
NTP SNMP HTTPS/HTTP
UDP Port 69
UDP Port 123 UDP Ports 161 (gets and sets) and 162 (traps) TCP Port 443/80
Syslog
RADIUS Auth/Account
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved.
27
Path Isolation
Sample Firewall Configuration
interface Ethernet0/1 nameif inside security-level 100 ip address 10.50.10.26 255.255.255.0 ! interface Ethernet0/2 nameif dmz security-level 50 ip address 10.10.51.1 255.255.255.0 ! access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666 access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667 access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2 ! global (dmz) 1 interface nat (inside) 1 10.70.0.0 255.255.255.0 static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255 access-group DMZ in interface dmz
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
28
Show Commands
Show Mobility Summary
BRKAGG-2016
Cisco Public
29
Show Commands
Show Mobility Anchor Show Mobility Statistics
BRKAGG-2016
Cisco Public
30
Anchor
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b Client MAC Address............................... 00:40:96:ad:0d:1b Client Username ................................. guest1 AP MAC Address................................... 00:00:00:00:00:00
Interface........................................ guest-vlan
VLAN............................................. 4
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
31
A2
Management 10.10.76.2
Internet
Management 10.10.75.2
Si
Campus Core
Si Secure Si Secure
F1
Guest VLAN 10.10.60.x/24 LWAPP/CAP WAP
Wireless VLANs
Guest Secure
Guest Secure
32
Internet
DMZ WLC
LAN
LAN
LAN
EoIP
WCS
No No
Yes Yes
YesTunnels or VLANs
Yes Yes High Low
33
BRKAGG-2016
Cisco Public
34
Enables the ability to leverage common guest user policies for both wired and wireless network access
BRKAGG-2016
Cisco Public
35
Layer-2 Switch
LWAPP
Guest Secure
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Internet
DMZ or Anchor Wireless LAN Controller
Corporate Intranet
Wireless Guest
BRKAGG-2016
Cisco Public
37
BRKAGG-2016
Cisco Public
BRKAGG-2016
Cisco Public
39
BRKAGG-2016
Cisco Public
40
BRKAGG-2016
Cisco Public
41
BRKAGG-2016
Cisco Public
42
Architecture Summary
Wireless is the preferred Guest Access technology because it provides no Physical connectivity to corporate network.
Using Multiple BSSID allow for WLAN Virtualization. Each WLAN seems to come from a separate Access Point.
Anchor Controller in Guest DMZ allow for full Path Isolation from Access Point to Guest DMZ. Cisco ASA Firewall allow only EoIP traffic between Wireless LAN Controllers Cisco ASA Firewall also provides advanced security features for Guest control
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
43
BRKAGG-2016
Cisco Public
44
Tunnels or VLANs
Guest
User Provisioning
Employee Function
45
Policy Enforcement
Differentiated Guest Services per SSID
Several Guest SSIDs can be defined on WLCs. Each SSID can have its own rules (ACL, wired interface, Pre-auth ACL, )
Lobby administrators can select appropriate SSID profile depending on guest type (visitor, contractor, customer, )
BRKAGG-2016
Cisco Public
46
Policy Enforcement
Using ACL for Guest Traffic
ACL can be applied per wired VLAN associated to guest SSID
ACL can be override per SSID ACL can, in some provisioning situations, be per user or per user groups (Guests authenticated by RADIUS server)
BRKAGG-2016
Cisco Public
47
Policy Enforcement
Using ACL for Guest Traffic
Pre-auth ACL allow for specific traffic to be forwarded even if the guest is not web authenticated.
Pre-auth ACL can be used for allowing access to VPN services, free web services,
BRKAGG-2016
Cisco Public
48
Policy Enforcement
Guest Network Bandwidth Contracts
Internet WLC
Anchor Controller
Si
Campus Core
Si Emp Si Emp
Specify bandwidth limitations and policies by individual user or group Ability to allocate resources by specific job function or throughput requirements Organizations overall network performance is enhanced
LWAPP/CAPWAP
LWAPP/CAPWAP
SSID = ACCT
SSID = CONTRACTOR
Policy Enforcement
QoS Profile
QoS Profiles can be created per type of guests (customer, contractors, visitors, )
Ability to allocate resources by specific job function or throughput requirements Organizations overall network performance is enhanced When creating a Guest account the lobby admin will be able to use one of the defined profiles QoS policy will apply downstream
BRKAGG-2016
Cisco Public
50
BRKAGG-2016
Cisco Public
51
Tunnels or VLANs
Guest
User Provisioning
Employee Function
Guest provisioning web portal Guest user intercept web auth portal Audit trails
52
Start/End Time,
Bulk provisioning,
Provisioning Strategies :
Lobby Ambassador Employees
BRKAGG-2016
Cisco Public
53
Provisioning Strategy
Lobby Ambassador Guest Accounts are created by lobby ambassadors at reception desks
Pros
Easier for Employees
Cons
No identified employee sponsor Lobby Ambassador are often not employees and change regularly (tracking concern) When in meeting room and internet access needed, go back to reception
BRKAGG-2016
Cisco Public
54
Provisioning Strategy
Sponsor Employees Guest Accounts are created by employees, using an Intranet service
Pros
Easy tracking of guest access sponsor (better tracking) Access code can be generated when needed, and not only at reception Employee can proactively create access codes and send it by email to visitors
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Cons
Employees need to be aware of guest service and able to use it. Guest provisioning tool need to be interconnected to enterprise directory.
55
Customized Provisioning
56
Customer Server Cisco NAC Guest Server Cisco Wireless Control System Cisco Wireless LAN Control
BRKAGG-2016
Cisco Public
57
BRKAGG-2016
Cisco Public
58
Guest Services
Support on WLC with Local Database
Configure the local internal database of the WLC 2048 entries can be stored in the local database per WLC
Internet
WLC
Guest
Si
Campus Core
Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
59
Corporate Network
Guest
Visitor, Contractor, Customer
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
60
BRKAGG-2016
Cisco Public
61
BRKAGG-2016
Cisco Public
62
Customer Server Cisco NAC Guest Server Cisco Wireless Control System Cisco Wireless LAN Control
BRKAGG-2016
Cisco Public
63
Bulk provisioning,
Set QoS Profiles, Set access based on WLC, Access Points, or location
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
64
Lobby Ambassador
Employee Sponsor
5
Internet
6
Corporate Network
65
BRKAGG-2016
Cisco Public
66
BRKAGG-2016
Cisco Public
67
BRKAGG-2016
Cisco Public
68
BRKAGG-2016
Cisco Public
69
BRKAGG-2016
Cisco Public
70
BRKAGG-2016
Cisco Public
71
BRKAGG-2016
Cisco Public
72
Customer Server Cisco NAC Guest Server Cisco Wireless Control System Cisco Wireless LAN Control
BRKAGG-2016
Cisco Public
74
BRKAGG-2016
Cisco Public
75
IT Admin
Network/Solution Mgt
Lobby Ambassador
Employee Sponsor
76
BRKAGG-2016
Cisco Public
77
BRKAGG-2016
Cisco Public
78
Password Policy
1. Alphabetic characters 2. Numeric characters 3. Special characters
BRKAGG-2016
Cisco Public
79
BRKAGG-2016
Cisco Public
80
BRKAGG-2016
Cisco Public
81
Lobby Ambassador
Employee Sponsor
5
RADIUS Accounting
RADIUS Requests
6
Internet
7
Corporate Network
Guest
Visitor, Contractor, Customer
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
82
BRKAGG-2016
Cisco Public
83
BRKAGG-2016
Cisco Public
84
Customer Server Cisco NAC Guest Server Cisco Wireless Control System Cisco Wireless LAN Control
BRKAGG-2016
Cisco Public
85
BRKAGG-2016
Cisco Public
86
BRKAGG-2016
Cisco Public
88
Tunnels or VLANs
Guest
User Provisioning
Employee Function
Guest provisioning web portal Guest user intercept web auth portal Audit trails
89
90
IT Admin define Guest Policies and Employee service access policies Lobby Ambassador or Employee Sponsor create Guest access credentials Provisioning server configure WLC Guest credential delivered to guest by print, email or SMS Guest associate to open guest WiFi service, is intercepted by WLC WLC, NGS or Clean Access push guest portal, guest provide credentials Guest has internet access
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved.
Internet
AAA Server
TACACS+, LDAP
1 IT Admin
Network/Solution Mgt
3 5
Guest Provisioning
WCS, NGS,
Corporate Network
With Path Isolation
4 Lobby Ambassador
Employee Sponsor
Guest
Visitor, Contractor, Customer
Cisco Public
91
BRKAGG-2016
Cisco Public
92
Tunnels or VLANs
Guest
User Provisioning
Employee Function
Guest provisioning web portal Guest user intercept web auth portal Audit trails
BRKAGG-2016
93
BRKAGG-2016
Cisco Public
94
BRKAGG-2016
Cisco Public
95
Guest
Si
Campus Core
Si Emp Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
96
Guest
Campus Core
Si Emp Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
97
Guest
Si
Campus Core
Si Emp Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
98
Services Edge
Configuring Customized WebAuth in WCS
Upload the customized web page to the Anchor WLC Customized WebAuth bundle can contain
22 login pages (16 WLANs , 5 Wired LANs and 1 Global) 22 login failure pages (in WCS 5.0 and up ) 22 login successful pages (in WCS 5.0 and up)
LWAPP LWAPP WCS Internet
Guest
Si
Campus Core
Si Emp Si Emp
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
99
Services Edge
Sample Customized WebAuth in WCS
WCS Internet
Sample webauth bundle with customized login.html, logout.html and loginfailure.html file
Si Emp
Guest
Si
Campus Core
Si Emp
LWAPP
LWAPP
Wireless VLANs
Guest Emp
Guest Emp
BRKAGG-2016
Cisco Public
100
BRKAGG-2016
Cisco Public
101
BRKAGG-2016
Cisco Public
103
Tunnels or VLANs
Guest
User Provisioning
Employee Function
Guest provisioning web portal Guest user intercept web auth portal Audit trails
BRKAGG-2016
104
Guest login
Start & End guest session Guest MAC@ Guest IP@ Used WLC and Connected AP
BRKAGG-2016
Cisco Public
105
BRKAGG-2016
Cisco Public
106
BRKAGG-2016
Cisco Public
107
Summary
BRKAGG-2016
Cisco Public
108
Components of the Guest Service are integrated in Cisco Unified Solution but can be complemented at several levels.
Project deployments might have to take care of Reporting and Tracking aspects depending on regions.
BRKAGG-2016
Cisco Public
109
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
110
BRKAGG-2016
Cisco Public
BRKAGG-2016
Cisco Public
111
4.2.112
5.0.148
5.1.78
Cisco Public
112
6.0.182
BRKAGG-2016 2009 Cisco Systems, Inc. All rights reserved.
Acronyms
VPNVirtual Private Network WLANWireless LAN
APAccess Point
WLCWLAN Controller LWAPPLightweight Access Point Protocol QoSQuality of Service VRFVirtual Routing/ Forwarding GREGeneric Routing Encapsulation mGREMultipoint GRE IGPInterior Gateway Protocol EIGRPEnhanced Interior Gateway Routing Protocol OSPFOpen Shortest Path First WANWide Area Network SVISwitched Virtual Interface EoIPEthernet over IP
113