Remote and Mobile Assets Fleet Management › c › en › us › td › docs › solutions ›...

Remote and Mobile Assets—Fleet Management

This module is part of the larger Remote and Mobile Assets (RaMA) Cisco Validated Design (CVD). Refer to the other modules for additional details about certain aspects of the architecture that are touched on in this module. All of the RaMA CVD modules are available at: www.cisco.com/go/rama

Solution Brief—An overview of the RaMA CVD and the available modules.

Design and Implementation Guide (DIG)—Overall document for architecture, design, and best practice recommendations for remote and mobile asset deployments.

Technology Guidance Module—Overview of the available hardware options for IoT gateways in the RaMA solution, with recommendations on hardware platform and software features to use for common scenarios.

Enterprise Network Integration Module—Best practices for the enterprise headend focusing on resiliency, high-availability, load-balancing, and security. Includes detailed descriptions of FlexVPN and WAN redundancy mechanisms.

Security Module—Describes how the RaMA solution was designed from the ground up with security in mind. Includes detailed descriptions of how the solution fits into the SAFE model, including securing the gateways, data plane, and management plane. Also includes a section on achieving PCI compliance.

Remote Site Management Module—Best practices for remote site connectivity, covering the use of the full range of Cisco Industrial Routers (IR 807, IR 809, IR829, IR 1101) as the managed gateway, providing wired and cellular connectivity for southbound devices as well as numerous northbound interfaces. This module also covers best practices for inbound connectivity for devices behind the gateway including isolation of management and data planes and whitelisting of applications and devices.

Zero Touch Provisioning Module—Use of Kinetic GMM by IT personnel for provisioning and managing Cisco Industrial Routers with a focus on secure, scalable deployment.

Field Deployment Module—Use of Kinetic GMM by OT personnel for deploying Cisco Industrial Routers in the field, with minimal knowledge of the underlying networking technology required.

Edge Compute Module—Overview of the edge compute capabilities in Cisco Industrial Routers in the form of IOx. Includes implementation examples for deploying Dockerized applications.

1

Cisco Systems, Inc. www.cisco.com

www.cisco.com/go/rama


Overview

This module includes the following sections:

OverviewThe Fleet module for the RaMA CVD is relevant for a broad set of fleet operators including:

City transportation (public bus and taxi operators)

First responder fleets (police vehicle fleets)

Service fleets (utility vehicles)

This module contains architectures and best practices for a robust network that includes options for enterprise network integration, the use of WiFi to offload large files consuming high bandwidth, and the ability to run microservice workloads on the gateways deployed at the edge.

Requirements A secure and reliable cellular connection at all times

WiFi hotspot in and around the vehicle

GPS and geofencing

Work Group Bridge (WGB) for WiFi in the WAN

Enterprise network integration

Edge compute

Ability to deploy and run microservices at the edge

Centralized microservice application deployment and lifecycle management

Device diagnostics

SIM management using Cisco Control Center

Display a web authentication splash page for public WiFi user authentication

Overview, page 2 A brief summary of the Fleet Management module.

Requirements, page 2 Common requirements around managed mobile gateways across a broad set of fleet customers.

Architecture, page 3 Key components of the RaMA Fleet architecture including WiFi hotspots, WiFi backhaul, network integration, GPS/geofencing, and edge compute microservices.

Design, page 4 Describes design considerations for the RaMA architectural components.

Best Practices, page 13 Best-practices, frequently asked questions, and tips for deploying a robust solution.

Implementation, page 14 Implementation steps and configuration snippets that can be used as a reference during deployment.

Appendix—Implementing External Web Authentication with Cisco Identity Services Engine, page 24

Describes the steps necessary to configure external web authentication using a Cisco Wireless LAN Controller (WLC) and Cisco Identity Services Engine (ISE).

Glossary, page 47 List of relevant acronyms and initialisms.

2


Architecture

Zero touch provisioning of ruggedized gateways

ArchitectureFigure 1 RaMA Fleet Architecture

Key architectural aspects include:

WiFi hotspot—Ability to provide a WiFi hotspot within and around the vehicle, which is particularly useful for improving operator productivity within and around the vehicle as well as offering WiFi to customers of buses and taxis.

WiFi backhaul (WGB)—Provides the ability to connect to enterprise WiFi using the 5 GHz range once the vehicle is within range. This is useful for offloading high-bandwidth traffic, such as upload of stored video surveillance data, using WiFi connectivity rather than expensive cellular connectivity. This technology uses WiFi as an uplink.

Enterprise network connectivity—Helps extend enterprise connectivity to the edge of the IoT fabric using a secure IPSec VPN tunnel.

GPS and geofencing—Enabling GPS functionality within the gateway to provide current and historical GPS data and geofencing to create a virtual geographic boundary, enabling software to trigger a response whenever a mobile asset enters or leaves a particular area.

Integration with Cisco Control Center—Integrating Cisco Kinetic Gateway Management Module (GMM) with Cisco Control Center (formerly Jasper Control Center) to manage the cellular connection of their device (only available with Control Center-managed SIM cards).

3


Design

Edge compute—Provides the ability to deploy microservice applications at the edge of the IoT fabric using the Cisco IOx platform. One such example is the Device Diagnostics Application which runs on the gateway’s IOx platform to collect gateway metrics (cellular, GPS, etc.) and makes them available for third-party applications via a web service RESTful API.

DesignThis design sections covers key aspects for fleet management including:

WiFi Hotspot Design, page 4

WiFi Backhaul Design, page 8

GPS and Geofencing, page 11

Edge Compute Design, page 12

WiFi Hotspot Design

WiFi ConnectivityWireless technology based on IEEE 802.11 is a key requirement for many customers looking to extend their enterprise network, especially for mobile use cases. The IR829 router makes 802.11n connectivity available for downstream client access (“hotspots”). The ability to wirelessly connect laptops, phones, tablets, cameras, and a wide range of other devices to the mobile gateway enables clients to achieve an experience consistent with being within range of the enterprise wireless infrastructure.

Radios—2.4 GHz and 5 GHzWhen operating as a hotspot, the access point onboard the IR829 can use both its 2.4 GHz and 5 GHz radios for client connections, providing maximum performance and compatibility. When operating as both a hotspot and a WGB, the hotspot uses the 2.4 GHz radio and the WGB uses the 5 GHz radio.

Note: For information about extending enterprise connectivity to the edge, refer to the Enterprise Network Integration module which provides details about the architecture, design, and technologies.

Note: WiFi is available only on the IR829 router. The IR807, IR809, and IR1101 routers do not currently support WiFi.

4


Design

Figure 2 IR829 Wireless with Autonomous Mode and Hotspot Only

Figure 3 IR829 Wireless with Autonomous Mode and Hotspot and Workgroup Bridge

AP Modes (Unified and Autonomous Mode)A Service Set Identifier (SSID), which is generally used as a “name” to identify a wireless network, is used by client devices to specify which network they would like to join. Depending on the use case, it may be beneficial to use a unique SSID for each IR829 acting as a hotspot or use a common one across all APs deployed across an enterprise.

If the intent is for individuals to only have access to a single IR829's network, using a unique SSID and PSK for authentication may be ideal. This is available through Autonomous Mode since the wireless APs are not integrated with the corporate wireless infrastructure and the Cisco Wireless LAN controller. This mode would be ideal when no integration with the corporate WiFi infrastructure is required. This would be the case when providing free public WiFi to third-party users within city fleets (buses, taxis, etc.).

5


Design

If the goal is to provide a unified extension of the fixed enterprise wireless network, Unified Mode allows for the use of the same SSID and authentication method that is used in the fixed wireless network. When using this mode, the gateways use a Cisco Wireless LAN controller for AP configuration and management. This is ideal for businesses with existing Cisco Unified wireless infrastructure and allows the existing fixed wireless infrastructure to be extended to the mobile gateways. This provides centralized configuration management and monitoring of the APs onboard the IR829. This also helps provide a seamless experience for employees connecting to the fixed wireless network by creating a wireless network “bubble” around the IR829 without needing to use a different SSID or authentication method.

Unified APs use the Control and Provisioning of Wireless Access Points (CAPWAP) protocol to communicate with the Cisco Wireless LAN Controller (WLC). CAPWAP uses a Layer 3 tunnel over UDP between the Unified AP and the WLC. Ensure that the firewall setting allows CAPWAP control packets to be sent between the ephemeral UDP port on the AP and UDP port 5246 on the WLC.

Since most WLCs reside inside the enterprise on a secure network that is not directly accessible via the Internet (i.e., or from the IR829), two general options exist for a Cisco Kinetic GMM-managed IR829 to communicate with the WLC:

In the first option, the IR829 maintains a FlexVPN tunnel connected to the enterprise VPN headend that provides connectivity to the enterprise network, including the WLC. This FlexVPN tunnel is typically established over the cellular interface(s) of the IR829 using a public Access Point Name (APN) with access to the internet, but could also be connected over the Ethernet to an external modem or network.

Figure 4 IR829 Wireless with Unified Mode and CAPWAP over FlexVPN

The second option for establishing enterprise connectivity between the Unified AP and the WLC is to use a Private APN. In this scenario, the private APN should be set up to allow enterprise-owned cellular devices to connect directly into the enterprise network without needing a VPN tunnel.

6


Design

Figure 5 IR829 Wireless in Unified Mode with CAPWAP over Private APN

For the Unified Wireless LAN architecture, two options are typically available for determining how the client data is routed or switched through the network:

In centrally-switched mode, all client data is routed through the CAPWAP tunnel and through the WLC.

In locally-switched mode, the client data does not need to traverse the CAPWAP tunnel and WLC, but instead can be switched or routed on the local network (IR829 in this case).

AuthenticationAuthentication of wireless clients is accomplished by one of two available methods:

The simplest form of authentication is via a pre-shared key (PSK), which is essentially a common password that is shared by all clients that need to connect to the wireless hotspot network. A PSK is best suited to use cases where ease of connectivity is prioritized over security, such as in a public transportation vehicle where the goal is to provide hotspot connectivity for passengers. The PSK is communicated to users out-of-band (for example, by a posted sign or word-of-mouth).

An alternative authentication method is 802.1x, which is an IEEE standard mechanism for network-based authentication. 802.1x defines how Extensible Authentication Protocol (EAP) packets can be encapsulated for use over LANs (this is called EAPOL, for EAP over LAN), including wired Ethernet and wireless 802.11 networks. Three parties are involved in every 802.1x authentication transaction:

— Supplicant—This is the end client device, such as a laptop, phone, or tablet that needs to access the wireless network. Typically, the supplicant functionality is built into the operating system or could be implemented in another application such as Cisco AnyConnect.

— Authenticator—This is the network device, such as a wireless access point, or a switch that acts as an enforcement point in the network, blocking client access until authentication is complete.

— Authentication server—This is an application that actually authenticates the supplicant and typically communicates using protocols like RADIUS and EAP.

The 802.1x authentication process is outlined in the ladder diagram in Figure 6.

7


Design

Figure 6 802.1x Authentication Ladder

The Cisco RaMA solution supports 802.1x authentication with a user name and password for wireless hotspot clients connected to the IR829. Authentication for wired clients using 802.1x is not supported without the use of Advanced Templates. In order for clients to authenticate using 802.1x, the WAN connection from the IR829 to the RADIUS server must be available. If the WAN connection is interrupted, new wireless client authentications will fail and clients will not be able to connect. Clients using PSK authentication will still be able to authenticate locally on the AP if the WAN connection is interrupted.

WiFi Backhaul DesignThe Cisco RaMA architecture support branch station connectivity for local high bandwidth access for instances where cellular bandwidth utilization is cost prohibitive, such as uploading large files or downloading software updates. The Workgroup Bridge functionality provided in this solution allows the use of a WiFi connection using the 5 GHz band (supported on the IR829) to offload such traffic and avoid cellular airtime costs. This provides a scalable WiFi infrastructure to deliver secure and high bandwidth wireless connectivity to vehicles at the station to enable uploads of captured data, perform maintenance of devices in the vehicle, and downloads of configuration updates.

The Cisco RaMA solution supports this requirement via the following components:

Cisco Wireless LAN Controller—A high-density controller for configuring and managing the APs, available in either a virtual or physical form factor.

Cisco IW3702 Ruggedized Access Points—IP67-rated outdoor AP that provides IEEE 802.11ac Wave 1 WiFi coverage for clients parked outside the station or in a parking garage.

Station Network—This includes the branch router with backhaul connectivity to the enterprise headquarters (HQ) using any number of technology options such as MPLS VPN or iWAN/SD-WAN. It includes PoE-enabled switches to power the wireless APs and provide them with network connectivity.

8


Design

Figure 7 Branch Station Architecture

Cisco Wireless LAN ControllerThe WLC is used to manage large quantities of lightweight access points (LAPs) from a single location and can be a physical appliance, a virtual appliance, or software that runs on a Cisco Catalyst 9300 switch. The WLC can be managed using either a GUI or the CLI. Important considerations to note about WLCs are:

WLCs can be located centrally or at the remote site depending on the WiFi network requirements and best practices.

All configuration for the LAPs is pushed down from the WLC, including:

— Authentication method (dot1x or PSK). For more information, refer to Authentication, page 7.

— Certificates

— RF management

— Software version

— SSIDs

— Switching mode

All management and provisioning traffic is communicated via the CAPWAP protocol.

In this solution, the FlexConnect switching mode was validated to ensure that all data traffic is locally switched on the LAP itself, instead of tunneled to the WLC.

9


Design

Lightweight Access PointThe IW3702 and CAP3502 Access Points are validated for this solution and may be deployed with a variety of omni-directional or directional antennas, depending upon the branch/station layout and coverage requirements. Each station layout presents unique criteria and challenges for wireless deployment, so a site survey is required to determine the optimal positioning and density for access point deployment.

Important things to consider for the LAP are:

Power requirement—Access to a Yard Switch that supports Power over Ethernet (PoE)

Method of associating with the WLC

Outdoor radio coverage provided by AP placement and antenna selection

Associating the LAPLAPs must establish a CAPWAP tunnel with the WLC in order to get their software image and configuration. Therefore, it is necessary for the access point to find a list of available controllers with which it can associate, which can be done in three ways:

1. Broadcast on the local subnet

2. DHCP Option 43 returned from the DHCP server

3. DNS lookup for “CISCO-CAPWAP-CONTROLLER.localdomain”

If the LAP does not reside in the same network as the WLC, “ip-helper” needs to be configured on the switch to which the LAP is connected. This ensures that any broadcast messages for DHCP discovery are directed to a central DHCP server, instead of requiring the deployment of a DHCP server at the edge of each branch network.

Workgroup BridgeThe WGB feature provides a high bandwidth uplink for the in-vehicle gateway when it is in range of the enterprise fixed wireless infrastructure. Routing metrics can be set to give preference to the WGB uplink over the cellular uplink when the vehicle gets in range of the fixed wireless infrastructure and successfully connects. This allows for the secure and rapid transfer of bulk data and video files without incurring LTE bandwidth charges.

With WGB, the IR829's on-board AP acts as a client of the fixed wireless network. When the IR829 is configured for WGB, it needs to be configured in autonomous mode and needs to dedicate the 5 GHz radio on the onboard AP803 for the WGB connection and use the 2.4 GHz radio for the WiFi hotspot functionality.

Restricted SubnetIn order to ensure that connectivity to a specific host or network is only available via the WGB, Cisco recommends the use of a restricted subnet. This prevents high-bandwidth services and applications from consuming cellular data. When the WGB connection is down, any traffic destined to the restricted subnet is dropped regardless of what other uplinks are active.

Typical WGB ApplicationsStations and branches are likely to host a number of applications that require high-bandwidth access to and from the mobile gateways. Some examples of applications that would benefit from a WGB connection include:

Video offload server—Most public service fleets like police cars and city buses capture a lot of video surveillance footage that needs to be uploaded to the video server when the vehicles dock at the branch/station site. Doing this using the WGB functionality discussed above limits the use of expensive and limited cellular bandwidth.

10


Design

Location history server—Many enterprises want to store the location history for each of their mobile assets for security and regulatory reasons. This can be achieved by having a location history storage server at each of the branch sites. Again, location history can be offloaded using WGB functionality to limit the use of expensive and limited cellular bandwidth.

Software/device maintenance operations—For public safety vehicles (police cars, fire trucks, emergency medical vehicles), laptops, cameras, and other in-vehicle devices require application updates, patch updates, OS updates, etc. as a regular maintenance activity. These updates are typically downloaded from a shared server managed by IT housing the updated images to be loaded and are triggered on connection of the device over the branch network. WBG capability helps avoid large cellular costs associated with the downlink transfer of these large images.

GPS and GeofencingCisco Kinetic GMM can be used to enable GPS functionality within a gateway to provide location information (latitude and longitude) and geofencing, which is especially useful for asset tracking and recording movement. Available information includes the current location of the asset, historical location information, and gateway location history. The gateway location history is displayed by default for the past 24 hours in 1-hour increments, but can also be displayed for a specific day over a 30-day period.

A geofence can be easily defined in Cisco Kinetic GMM to track when a gateway enters or leaves a pre-defined geographic location, such as when a truck is within a mile of the shipping dock or when it leaves that same area. The geofence can be added by specifying a predefined radius around a geographical location or by drawing a custom area on the map, as shown in Figure 8.

Figure 8 Geofencing

11


Design

Edge Compute DesignThe edge compute capabilities of the gateways including Cisco IOx allows users to develop customized microservices that greatly enhance the capabilities of the Cisco RaMA architecture. A sample Device Diagnostics application has been developed to illustrate one example of the many customized microservices that can leverage the edge compute capabilities of the gateways. This application utilizes the following components:

Diagnostics microservice

Third-party client

For additional details about the design and implementation of Cisco IOx for edge compute, refer to the RaMA Edge Compute module.

Figure 9 Device Diagnostics Utilizing IOx

Diagnostics MicroserviceCisco IOx provides uniform and consistent hosting capabilities for microservice applications at the edge of the IoT fabric. The IOx application environment brings together Cisco IOS, the industry-leading networking operating system, and Linux, the leading open source platform. With Cisco IOx, developers benefit from familiar processes and open source tools prevalent within Linux while generating applications that execute on Cisco IoT network infrastructure.

Cisco Kinetic GMM can used to seamlessly deploy and manage the entire lifecycle of IOx microservice applications to perform a bulk and distributed deployment across the entire range of fleet gateways.

For this use case, Cisco DEVNET has developed a microservice application that is hosted on the edge gateways using the Cisco IOx platform. The microservice connects to the gateway, collect information and metrics related to the dual cellular interfaces and GPS data, and then exposes the collected data northbound via a web service RESTful interface. The Cisco Kinetic GMM UI is used to deploy and manage the Cisco diagnostic application on an IR829 router.

12


Best Practices

Third-Party ClientThe data from the Diagnostic Microservice can be consumed by a third-party client such as the NetMotion Diagnostics application running on a Toughbook within the vehicle. The data can then be forwarded to either a cloud-hosted or on-premises application to aggregate and support review of data from all the gateways in a centralized manner.

Best Practices Cisco recommends the use of Unified Mode. This helps integration with the corporate WiFi infrastructure and helps

to extend the enterprise WiFi to the edge of the IoT fabric. Another advantage provided by Unified Mode is the enforcement of centralized policies defined within the enterprise. The same corporate WiFi SSID can be preserved, which helps with not having to configure a different SSID and credentials for WiFi client devices. This enables seamless mobility. For additional information about Cisco Unified Wireless, refer to the Enterprise Mobility 8.5 Design Guide at:https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch7_HREA.html

Cisco recommends the use of FlexVPN if connectivity to the enterprise network is required.

Cisco recommends the use of the locally-switched mode to reduce cellular data usage and potential latency.

Since most enterprises are expected to have some form of wireless infrastructure in place, the Cisco RaMA solution has been designed to integrate seamlessly with existing wireless infrastructure.

— WGB requires support for the 5 GHz band which is provided by the IW3702.

— Unified mode deployments require a Cisco wireless infrastructure with a Cisco Wireless LAN controller.

Existing Unified Wireless networks require a separate WLAN for the WGB. For security reasons, this WLAN should not be broadcast and should only be accessible by gateways connecting via WGB.

Some current factors and limitations to consider when configuring WGB via Cisco Kinetic GMM:

— WGB functionality is only supported on the IR829 gateway.

— WGB functionality is only supported when the IR829's on-board AP803 is operating in autonomous mode.

— WGB functionality currently supports only PSK authentication to the fixed wireless network.

— When WGB mode is enabled, 802.1X authentication is not supported for WiFi hotspot clients.

For more information on setting up a geofence and performing GPS troubleshooting, refer to:https://developer.cisco.com/docs/kinetic/#!track-gps-location

While Cisco Kinetic GMM natively provides cellular usage data, this data originates from the gateway rather than the cellular carrier. Cisco Control Center provides carrier usage data. For additional information about Control Center, refer to: https://www.jasper.com/products

For more information on Cisco IOx, refer to: https://www.cisco.com/c/en/us/products/cloud-systems-management/iox/index.html

For more information on Cisco Kinetic GMM, refer to: https://developer.cisco.com/docs/kinetic/

The sample Cisco DEVNET developed device diagnostics microservice is available at: https://github.com/CiscoDevNet/gw_uplink_stats

13

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch7_HREA.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch7_HREA.html

https://developer.cisco.com/docs/kinetic/#!track-gps-location

https://www.jasper.com/products

https://www.cisco.com/c/en/us/products/cloud-systems-management/iox/index.html

https://developer.cisco.com/docs/kinetic/

https://github.com/CiscoDevNet/gw_uplink_stats


Implementation

For more information on NetMotion Diagnostics, refer to: www.netmotion.com. This is just one example of the many fleet applications that can utilize the Device Diagnostics microservice.

ImplementationThis section covers key aspects for fleet management including:

Device Diagnostics microservice for NetMotion—A sample IOx edge compute application

Device Diagnostics Microservice for NetMotionThis section describes how to deploy and configure the Fleet Diagnostics Application on a Cisco IR829 gateway using Cisco Kinetic GMM.

Setting up the NetMotion Microservice in IOx

1. Download the Cisco NetMotion IOx Application from DevNet.

2. Log into the Cisco Kinetic GMM portal using your account credentials.

3. Click Applications -> +Add Application.

For more information on creating templates in Cisco Kinetic GMM, refer to the Remote and Mobile Assets CVD https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/RaMA/RaMA-DIG/RaMA-DIG.html#90940

14

http://www.netmotion.com/

https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/RaMA/RaMA-DIG/RaMA-DIG.html#90940


Implementation

4. Select Choose File From Your Computer and select the file downloaded from DevNet in step 1.

5. Click Install to install the application to a gateway.

15


Implementation

6. On the Select Profile: pull-down menu, select custom and allocate 100 CPU Units and 100 MB RAM for the IOx application.

7. Select Gateways or Group of Gateways to Install Connection Service.

16


Implementation

8. Create an Advanced Template by clicking Gateway -> Templates -> Advanced Templates, then +Add Advanced Template.

9. Enter a name for the configuration and a description if necessary (IOS and AP). Create two Advanced Templates using this process—one for the router configuration and one for the AP configuration.

10. Paste the following IOS and AP configuration (or your edited version) into the template box:

Router IOx

username netmotion privilege 15 password n3tm0ti0nusername cisco privilege 15 password cisco,123ip host gw.kinetic.local ${gw.lan_ip}int ${ gw.lan_if }no ip nat insideip nat enableint GigabitEthernet5no ip nat inside

17


Implementation

ip nat enableip nat source static tcp ${gw.ip_prefix}.${gw.ip_suffix?number + 2} 8080 interface ${gw.lan_if} 8080int Vlan20ip address ${gw.ip_prefix}.${gw.ip_suffix?number + 8} 255.255.255.252ip nat enableno shutint ${ gw.wan_if }no ip nat outsideip nat enableint ${ gw.wan_if_sec }no ip nat outsideip nat enableip nat source route-map RM_WAN_ACL interface ${ gw.wan_if } overloadip nat source route-map RM_WAN2_ACL interface ${ gw.wan_if_sec } overload

AP

ip hostname apip domain-name gmm crypto key generate rsa modulus 1024 ip SSH version 2 aaa new-model aaa authentication login default local aaa authorization exec default local username netmotion privilege 15 password n3tm0ti0n username cisco privilege 15 password cisco line vty 0 4 transport input ssh ip scp server enable workgroup-bridge service-vlan 20

11. Click Save.

12. Click Gateway -> Templates, then +Add Template.

18


Implementation

13. Enter a template name and for model select IR829.

14. Click WAN Interface and set the following:

Enter the appropriate Cellular Settings.

Make sure LAN Ports are ENABLED (should be by default). If you want to disable a LAN port, uncheck that port. Also set GPS to ENABLED.

Set Advanced Template to ENABLED.

On the Select Template pull-down menu, select the Advanced AP Template and Advanced Router Template you created above.

15. Click Save.

For more information on Cellular Settings, see the LTE sections of the Remote And Mobile Assets CVD:https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/RaMA/RaMA-DIG/RaMA-DIG.html#88800

Note: To support the NetMotion Diagnostics application requirements, you must configure the gateway template to use a Custom Subnet for the LAN, with a network of 192.168.0.0, mask of 255.255.255.0, and gateway of 192.168.0.1.

19

https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/RaMA/RaMA-DIG/RaMA-DIG.html#88800


Implementation

16. You are now ready to deploy this template to your devices by following the procedures in the RaMA Field Deployment module.

Configure the NetMotion Fleet Management Application

1. Connect a PC running the Netmotion Diagnostics App to an Ethernet Port on the IR829 or use an AP defined in Cisco Kinetic GMM template.

2. Start the NetMotion Application.

3. Select Diagnostics Configuration and set the following:

Enter your server information that was provided by your Netmotion provider.

For Location, enter Broadband adapter.

For more information on NetMotion Diagnostics see: https://www.netmotionsoftware.com/products/diagnostics

20

https://www.netmotionsoftware.com/products/diagnostics


Implementation

Select Cisco for Remote Broadband and enter 192.168.0.1:8080 for the IP address.

4. To monitor valid GPS metrics in NetMotion, click GPS Metrics and select timeframe.

21


Implementation

5. To monitor NetMotion inventory, click Inventory.

22


Implementation

6. To monitor LTE network usage in NetMotion, click Network Usage -> Carriers.

7. To monitor cellular signal strength in NetMotion, click Network Performance and then click Device Map.

23


Appendix—Implementing External Web Authentication with Cisco Identity Services Engine


OverviewThe flow for external web authentication is:

1. The user associates to the web authentication SSID.

2. The user opens their browser.

3. The HTTP traffic is matched on a FlexConnect ACL and is redirected to the guest portal.

4. The user authenticates on the portal.

5. Cisco Identity Services Engine (ISE) sends a RADIUS Change of Authorization (CoA—UDP Port 1700) to indicate to the controller that the user is valid and pushes RADIUS attributes such as the Access Control List (ACL).

6. The user is prompted to retry the original URL.

Figure 10 External Web Authentication Architecture

This appendix describes the steps necessary to configure external web authentication using a Cisco WLC and Cisco ISE.

Configuring Cisco Wireless LAN ControllerIn order for the WLC to support web authentication with an external server (ISE), the following components must be configured:

Authentication Server

Accounting Server (optional)

WLAN

Flexconnect ACL

24



Adding an Authentication ServerThe external server must first be added to the WLC configuration before it can be used as the Web Authentication Portal:

1. Navigate to Security -> AAA -> RADIUS -> Authentication.

Figure 11 Navigate to RADIUS Authentication Server List

2. Click New….

Figure 12 Add New RADIUS Authentication Server Entry

3. Add the following configuration:

ISE Server IP Address

Shared secret—This secret will have to match the secret when the Network Device is added to ISE.

Enable Server Status.

Enable Support for CoA.

Enable Network User.

Enable Management.

25



Figure 13 RADIUS Authentication Server Configuration

Adding an Accounting ServerIf accounting services are also desired:

1. Navigate to Security -> AAA -> RADIUS -> Accounting.

Figure 14 Navigate to RADIUS Accounting Server List

2. Click New….

Figure 15 Add New RADIUS Accounting Server Entry

3. Add the following configuration:

ISE Server IP Address

Shared secret—This secret will have to match the secret when the Network Device is added to ISE.

26



Enable Server Status.

Enable Network User.

Figure 16 RADIUS Accounting Server Configuration

Creating the WLANOnce the Flexconnect ACLs, Authentication Server entry, and Accounting Server entry have all been configured, create the WLAN for user network access:

1. Navigate to WLANs.

Figure 17 Navigate to WLANs

2. Select Create New from the drop-down menu and click Go.

3. Enter the values:

Type—WLAN

A Profile Name

The broadcast SSID

27



Figure 18 Create New WLAN

4. Select Apply.

5. Under the General tab:

Make sure the Profile Name and SSID are correct.

Tick both the Status and Broadcast SSID checkboxes.

Select the interface on which the WLC and Access Point (AP) will communicate.

Figure 19 WLAN General Tab

6. Under the Security tab:

Set Layer 2 Security to None.

Enable Mac Filtering.

28



Figure 20 WLAN Layer 2 Security Tab

Set Layer 3 Security to None.

Figure 21 WLAN Layer 3 Security Tab

Enable Authentication Servers and Accounting Servers.

— Select the previously configured servers.

Figure 22 WLAN AAA Servers Security Tab

7. Under the Advanced tab:

29



Allow AAA Override must be Enabled.

Set NAC State to ISE NAC.

Set DHCP Addr. Assignment to Required.

Figure 23 DHCP Addr. Assignment Required

Enable FlexConnect Local Switching.

Figure 24 Enable FlexConnect Local Switching

Creating a FlexConnect Access Control List (ACL)The next step is to create a redirect ACL. This ACL is referenced by the Authorization Profile in ISE and it defines what traffic should or should not be redirected. More specifically, all DNS traffic and all communication with ISE will be allowed, while any other traffic will be redirected.

30



To create the FlexConnect ACL:

1. Navigate to Security -> Access Control Lists -> FlexConnect ACLs.

Figure 25 FlexConnect ACL

2. Click New.

3. Enter a value for Access Control List Name.

This value must be the same as the one defined in ISE as described in Configuring Cisco Identity Services Engine, page 35.

Figure 26 New Access Control List

4. Click Apply.

5. Select the newly created blue link under ACL Name.

31



Figure 27 Select the Access Control List

6. Click Add New Rule and add rules to match Figure 28.

10.2.5.9 should be replaced with the ISE IP address.

Figure 28 FlexConnect ACL CONFIG

Configuring Access Point FlexConnectFlexConnect configuration is utilized in the RaMA solution, which allows the data traffic to be switched locally as opposed to going over the CAPWAP tunnel to the WLC. This cuts down on inefficient pathing of data traffic and decreases the workload for the WLC. The FlexConnect base configuration is as follows:

Figure 29 WLC Wireless Configuration

Once the AP has been added:

1. On the General tab, change the AP Mode to FlexConnect. The AP will then reboot.

32



Figure 30 AP Mode to FlexConnect

2. Once in FlexConnect mode, map the correct VLANs for control and data traffic on the FlexConnect tab. All control and data traffic between AP and WLC is on native VLAN 1 in this configuration.

Figure 31 FlexConnect VLAN Mapping

3. To configure the client traffic, select VLAN Mappings.

4. All client traffic must flow on VLAN 1 as shown in Figure 32.

33



Figure 32 Yard AP VLAN Mapping

5. Select External WebAuthentication ACLs.

Figure 33 External WebAuthentication ACLs

6. Select the ACL that was created in the previous section for both WebAuth ACL and Policy ACL.

This will apply the ACL to the AP, so that all non-DNS traffic will be appropriately redirected to ISE to initiate authentication.

34



Figure 34 ACL Mapping

Once this is done, the final step is configuring ISE.

Configuring Cisco Identity Services Engine

Creating Network DevicesWhen the authentication request is sent from the WLC to ISE, ISE must first check to see if the WLC is a trusted device. To do this, a corresponding Device must be created:

1. Navigate to Administration -> Network Devices.

35



Figure 35 Network Devices

2. Create a new Network Device.

Add a descriptive Name for the WLC.

Add IP address of the WLC.

Select Device Type as All Device Types.

Tick RADIUS Authentication Settings.

Specify the Shared Secret as specified in the AAA configuration on the Hub.

Click Save when complete.

36



Figure 36 Add a Network Device

Once the WLC has been added as a network device, a Web Portal must be created.

Creating a Web Portal1. Navigate to Work Centers -> Guest Access -> Portals & Components.

37



Figure 37 Portals & Components

2. Click Create and select Hotspot Guest Portal.

Figure 38 Hotspot Guest Portal

3. Enter a Portal Name and Description.

Portal Behavior and Flow Settings is used to outline the guest experience.

Portal Page Configuration is used to customize the actual port itself.

38



Figure 39 Hotspot Portal Name

4. Make sure that the appropriate interface is selected under Portal Settings -> Allowed Interfaces.

Figure 40 Portal Settings

Once this is done, the Authorization Profile must be created.

39



Creating an Authorization ProfileThe Authorization Profile outlines what actions ISE should take if the Authorization Rule Condition (defined in the Policy Set section) is met. To configure the Authorization Profile:

1. Navigate to Policy -> Policy Sets -> Results.

Figure 41 Navigate to Authorization Profile

2. Expand Authorization, select Authorization Profiles, and then click + Add.

Figure 42 Add an Authorization Profile

In the Name field, enter a name for the profile. This example uses RAMA_SPLASH.

Choose ACCESS_ACCEPT from the Access Type drop-down list.

Select the Web Redirection check box and choose Hot Spot from the drop-down list.

In the ACL field, enter the name of the ACL on the WLC that defines the traffic to be redirected. These values must match.

In the value field, select the portal that was configured in the Web Portal section.

40



Check Static IP/Hostname/FQDN and enter the IP address of ISE.

Figure 43 Authorization Profile Configuration

With the Authorization Profile created, a Policy Set must be defined to reference it.

Defining Policy SetsThe policy set will define the logical flow of the authentication/authorization process. It will first check against an authentication ruleset for the WLC itself to make sure that the WLC is permitted. Afterwards, it will ensure that:

ISE accepts all of the MAC authentications from the WLC.

ISE will pursue authentication even if the user is not found.

To define the Policy Set:

1. Navigate to Policy -> Policy Set.

Figure 44 Policy Set

41



2. A new Policy Set can be made or the Default Policy Set can be modified. This implementation guide modifies the Default Policy Set.

Figure 45 Default Policy Set

Set Allowed Protocols/Server Sequence to Default Network Access.

Figure 46 Default Network Access

3. Expand the arrow under View to modify the Authentication and Authorization Policies.

Figure 47 Viewing the Policies

Configuring an Authentication PolicyThe Authentication Policy ensures that the authorization of Mac Authentication Bypass (MAB) requests will still be pursued, even if the MAC addresses are not already known by ISE.

1. Expand Authentication Policy and click the + (plus sign) icon.

2. Enter a name for the Authentication Policy.

42



Figure 48 Authentication Policy

3. Click the + (plus sign) icon in the Conditions column to open the Conditions Studio.

4. In the Conditions Studio add the Wired_MAB and Wireless_MAB conditions with an OR logical operator.

Figure 49 Conditions Studio

5. Click the + (plus sign) icon in the Identity Source field and choose Internal Endpoints.

Figure 50 Internal Endpoint Selection

6. Choose Continue from the If user not found drop-down list.

This step allows the ISE to continue even though the user (or the MAC) is not known.

43



Figure 51 Internal Endpoint Behavior

Defining an Authorization PolicyThe Authorization Policy is going to outline how users are allowed access to the network. Complete the following steps to define the Authorization Policy:

1. Expand Authorization Policy and click the + (plus sign) icon to add an Authorization Rule.

Figure 52 Add an Authorization Rule

2. Enter a Name for the Authorization Rule. This example uses “Wi-Fi_Redirect_to_Guest_Login”.

Figure 53 Authorization Policy Name

3. Click the + (plus sign) icon in the Conditions column to open the Conditions Studio.

4. Add a Condition to match Figure 54.

44



Figure 54 Add a Condition

5. Under the Results -> Profiles column, select the Authorization Profile that was created in an earlier section.

Figure 55 Apply the Authorization Rule

If the configuration were to stop here, unknown users would still be presented with the splash page. However, an authentication error would cause the user to be unable to join the network. Another authorization request must be sent to ISE to check if the user is now a part of an allowed group. To allow for this, an additional Authorization Rule must be added to the Authorization Policy.

6. Click the + (plus sign) icon next to Status to add another Authorization Rule.

Note: It is very important that this new rule comes before the “Wi-Fi_Redirect_to_Guest_Login” rule.

7. Enter a value in the name field. This example uses “Allow_Guest_Rule”.

8. In the condition field, click the + (plus sign) icon and choose to create a new condition.

Figure 56 Creating “Allow_Guest_Rule”

9. This example has three conditions:

Normalised Radius:RadiusFlowType—WirelessMAB

Network Access:Use Case—Guest Flow

IdentityGroup:Name—Endpoint Identity Groups:GuestEndpoints

45


Troubleshooting

Figure 57 “Allow Guest User” Conditions Studio Ruleset

10. After creating the Conditions Studio Ruleset, select Guest in the Security Group field.

Figure 58 Security Groups

11. Finally, select PermitAccess under Profiles to allow for the guest user to finally be allowed on the network.

Figure 59 Permit Access

TroubleshootingThere are many possible reasons why web authentication is not successful. Troubleshooting Web Authentication on a Wireless LAN Controller (WLC) describes various reasons in detail:https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html

46

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html


Glossary

Glossary

Term Definition

AAA Authentication, Authorization, and Accounting

AP Access Point

APN Access Point Name

AR Active Router

CAPWAP Control and Provisioning of Wireless Access Points

CLB Cluster Load Balancing

CVD Cisco Validated Design

DMVPN Dynamic Multipoint VPN

DNS Domain Name System

DoS Denial of Service

DPD Dead Peer Detection

EAP Extensible Authentication Protocol

EAPoL EAP over LAN

EEM Embedded Event Manager

GMM Cisco Gateway Management Module

GPT Cisco Kinetic Gateway Provisioning Tool

GRE Generic Routing Encapsulation

HER Headend Router

HSPA High Speed Packet Access

HSRP Hot Standby Router Protocol

ICMP Internet Control Message Protocol

IDS Intrusion Detection System

IKE Internet Key Exchange

IoT Internet of Things

IPS Intrusion Prevention System

IR Industrial Router

ISAKMP Internet Security Association and Key Management Protocol

ISE Cisco Identity Services Engine

LAP Lightweight Access Point

LLG Least Loaded Gateway

LTE Long Term Evolution

LWAP Lightweight Access Point

MIMO Multiple-Input and Multiple-Output

MPLS Multiprotocol Label Switching

MQC Modular QoS

mSATA mini-Serial Advanced Technology Attachment

NAT Network Address Translation

47


Glossary

NGE Cisco Next-Generation Encryption

NHRP Next Hop Resolution Protocol

NTP Network Time Protocol

PoE Power over Ethernet

PSK Pre-Shared Keys

RaMA Cisco Remote and Mobile Assets

RFC Request for Comments

RHEL Red Hat Enterprise Linux

RTU Remote Terminal Unit

SCADA Supervisory Control and Data Acquisition

SFP Small Form-Factor Pluggable

SIM Subscriber Identification Module

SVI Switched Virtual Interface

UDP User Datagram Protocol

VIP Virtual IP address

VPN Virtual Private Network

VRF Virtual Route Forwarding

VTI Virtual Tunnel Interface

vWLC virtual Wireless LAN Controller

WAF Web Application Firewall

WAN Wide Area Network

WGB Workgroup Bridge

WLC Cisco Wireless LAN Controller

ZTD Zero-Touch Deployment

Term Definition

48

Remote and Mobile Assets Fleet Management › c › en › us › td › docs › solutions ›...

Documents

Transcript of Remote and Mobile Assets Fleet Management › c › en › us › td › docs › solutions ›...