Wireless Guest Access

7/22/2019 Wireless Guest Access

1/86


2/86

2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public

Deploying Wireless Guest AccessPaul Nguyen

BRKEWN-2013


3/86


Abstract

This session focuses on design requirements and deployment conside

wireless Guest access solution. It discusses the main components of aguest access solution including how to provide network access to visitguest traffic across the network that is safe and secure. Attendees wilto a detailed discussion on various guest access services directly on tcontrollers (WLC), management of Guest services using Cisco Prime (PI), and integration with the Identity Services Engine (ISE) for variousauthentication services such as sponsored and self-service options. Wdiscuss FlexConnect, Guest Anchor, and enhanced guest security with

This session is especially useful for those attendees responsible for thDeployment Operations and Management of Enterprise Campus WireIt is assumed that all those attending this session have a working knowswitching and routing, fundamentals in 802.1X and Network AdmissionKnowledge of 802.11 WLAN fundamentals and WLAN security is requ


4/86


Agenda

Overview : Guest Access as a Supplementary

Authentication

Guest Access Control & Path Isolation

Secure Guest in FlexConnect

Guest Authentication Portal

Guest Provisioning

Monitoring & Reporting

Demo


5/86 2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public

Session Objectives

Understand what wireless Guest Access Service

of.

Learn about the importance of isolating Guest tr

See how guest access is integrated in Cisco Wi

Solution.

Securing FlexConnect is simple to understand a

Discover how Cisco ISE enhances Guest Servic


6/86

Guest Access Overview



Evolution of Network AccessAge of the Borderless Network LocationHealth

Campus

Network

Branch

Network

Internet

Employee

(Sales)

Managed

Desktop?

Employee

(Sales)

Managed

Desktop?

VPN

Guest

ContractorGuest Game

Console

IP Camera

Mobile

Workers

Personal

Devices

VPN

VPN

Hotspot

Wireless

Employee

Security

Systems

Printer

(Sales)



Context-Based AccessWho = User Identity

Known/Managed Users (Long-term)

Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Co

Primary Auth Methods: 802.1X or Agent-based

Considerations:

Identity Stores

EAP types and supplicant

Unknown/Unmanaged Users (Temporary or Infrequent AcceExamples: Guests, Visitors, Short-term Partners/Contractors

Primary Auth Method: Web authentication

Considerations:

Web Redirection and Authentication Portals

Guest Provisioning and Identity Stores



Corporate vs Guests

CAPWAPCAPWAP

802.1Q Trunk

VLAN 30

VLAN 50

EAP Authentication1

Accept with VLAN 302

Web Auth3

Accept with GUEST4

ISE

Users with Corporate Devices with their AD user id can be assignedEmployee VLAN

Guests authenticate via Web Auth and are assigned to a GUEST-A

the Guest VLAN

Employee

GuestDevice



Requirements for Secure Guest AccessTechnical

Usability

Monitoring

No access until authorized

Guest traffic should be segregated from the inter

Web-based authentication

Full auditing of location, MAC, IP address, userna Overlay onto existing enterprise network

Bandwidth and QoS management

No laptop reconfiguration, no client software req

Plug & Play

Splash screens and web content can differ by loca

Easy administration by non-IT staff

Guest network must be free or cost-effective a

Mandatory acceptance of disclaimer or Acceptabbefore access is granted

Logging and Monitoring

Must not require guest desktop software or conf



Guest Access Components

Guest

CustomizableLogin Page

Existing Cred

Parity forWired / Wireless

Centralized WebPage Management

Enterprise

NAC Gue

Employee

FlexibleAccess Policies

ACS 5.1

Integrated Access Authentication

Centralized Accounting

802.1X/MABCompatibility

F A C C

M S

C

Identity Services Engine


12/86

Guest Access Control &

Path Isolation


13/86


CAPWAP

CAPWAP APs

CAPWAP AP

Access ControlEnd-to-End Wireless Traffic Isolation

The fact

Traffic isolation achievedvia CAPWAP valid from the

AP to the WLAN Controller

The challenge

How to provide end-to-end

wireless guest traffic

isolation, allowing internet

access but preventing any

other communications?

CAPWAP


14/86


Path IsolationWhy Do We Need It for Guest Access?

Extend traffic logical

isolation end-to-end overL3 network domain

Separate anddifferentiate the guesttraffic from the corporateinternal traffic (security

policies, QoS, bandwidth,etc.)

Securely transport theguest traffic across theinternal networkinfrastructure to DMZ

CAPWAP

CAPWAP


15/86


Guest Access Control

CAPWAP tunnel is a Layer 2 tunnel(encapsulates original Ethernet frame)

Same CAPWAP tunnel used for datatraffic of different SSIDs

Control and data traffic tunneledto the controller via CAPWAP:datauses UDP 5247controluses UDP 5246

Data traffic bridged by WLAN controller

on a unique VLAN corresponding toeach SSID

Traffic isolation provided by VLANs isvalid up to the switch where thecontroller is connected

Campus CorCAPWAP

WiSM WLA

Guest Emp CAPWAP - Control And Provisioning of Wireless Access Points

Cisco WLAN Controller Deployments

WirelessVLANs


16/86


Solution #1: Path Isolation using EoIP

Use of up to 71 EoIP tunnels to logically segment andtransport the guest traffic between remote and anchor

controllers Other traffic (employee for example) still locally bridged at

the remote controller on the corresponding VLAN

No need to define the guest VLANson the switches connected to theremote controllers

Original guests Ethernet frame maintained acrossCAPWAP and EoIP tunnels

Redundant EoIP tunnels to theAnchor WLC

virtual WLC models can not terminate EoIP connections(no anchor role) or support IPSec Encrypted Tunnels onthe remote WLC

2500 can now support up to 15 EoIP tunnels.

Cisco ASA Firewall

CAPWAP

EoIP

Guest Tunnel

Inte

WLAN Controller Deployments with EoIP Tunnel

Guests


17/86


Using EoIP Pings (data path)functionality Anchor WLC reachability

will be determined Foreign WLC will send pings at

configurable intervals to see if AnchorWLC is alive

Once an Anchor WLC failure isdetected a DEAUTH is send tothe client

Remote WLC will keep on monitoringthe Anchor WLC

Under normal conditions round-robinfashion is used to balance clientsbetween Anchor WLCs

Guest Network Redundancy

Campus Core

EtherIP

Guest

Tunnel

CAPWAP

Internet

Guest Secure

Secure Secure

Wireless

VLANs

Guest VLAN 10.10.60.x/24

Management 10.10.80.3

M

1

F1

A

Primary Link

Redundant Link


18/86


Implementing Guest Path Isolation Using WLC

1. Specify a mobility group for each WLC

2. Open ports for: Inter-Controller Tunneled Client Data

Inter-Controller Control Traffic

EoIP tunnel protocol

Other ports as required

3. Create Guest VLAN on Anchor controller(s)

4. Create identical WLANs on the Remote and Anchor controll5. Configure the mobility groups and add the MAC-address

and IP address of the remote WLC

6. Create the Mobility Anchor for the Guest WLAN

7. Modify the timers in the WLCs

8. Check the status of the Mobility Anchors for the WLAN

Building the EoIP Tunnel


19/86


Guest Path Isolation

Anchor and Remote WLCs are configured in different Mobility Groups

WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration


20/86


Configure Guest WLANs on the Remote and Anchor controllers

Configure Guest VLAN on the Anchor WLC

Guest Path IsolationWLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration


21/86



Configure the mobility groups and add the MAC-address and IP address

WLCs

WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration

Anc

Remote


22/86


Create the mobility anchor for the guest WLAN on Remote WLCs

Guest Path IsolationWLAN Controller Deployments with EoIP TunnelRemote Controller Configuration


23/86


Create the Mobility Anchor for the guest WLAN on Anchor WLC

Guest Path IsolationWLAN Controller Deployments with EoIP TunnelAnchor Controller Configuration


24/86


Modify the timers and DSCP on the Anchor WLCs

Path IsolationWLAN Controller Deployments with EoIP TunnelAnchor Controller

Check the status of the mobility anchors for the WLAN


25/86



Open ports in both directions for:

EoIP packets IP protocol 97

Mobility UDP Port 16666

Inter-Controller Data/Control Traffic UDP 5247/5246

Optional management/operational protocols:

SSH/Telnet TCP Port 22/23

TFTP UDP Port 69 NTP UDP Port 123

SNMP UDP Ports 161(gets and sets) and 162(traps)

HTTPS/HTTP TCP Port 443/80

Syslog TCP Port 514

RADIUS Auth/Account UDP Port 1812 and 1813

Mustbe Open!

Firewall Ports and Protocols

S l ti #2 G t P th I l ti i VRF


26/86


Solution #2: Guest Path Isolation using VRF

Virtual Routing / Forwarding (VRF) or VRF- lite is the L3 virtua

in Enterprise Campus networks

Guest isolation is done by dedicated VRF instances

802.1q, GRE, MPLS/LSP,

Physical Int, Others

GlobalLogical or Physical Int

(Layer 3)

Employee VRF

Guest VRF

Campus Virtualization

G t P th I l ti i VRF


27/86


Guest Path Isolation using VRF

CAPWAP Path Isolation atAccess Layer

L2 Path Isolation between WLCand Default Gateway

L3 VRF Isolation from WLC toFirewall Guest DMZ interface L3 S

Corporate

Access Lay

Corporate

Intranet

Emplo

Gue

Guest Provisioning

Wireless LAN

Controller

CAPWAP

Isolated L2 VLAN

WLC and VRF Virtualization

Guests

Wi l G t A


28/86


Wireless Guest Access

PI

LAN

Internet

Cisco Unified Wireless

NoDMZ Controller

Cisco Unified Wireless

VRF

C

Provisioning Portal Yes Yes User Login Portal Yes Yes

Traffic Segmentation VLANs thru Network VRF thru Network

User Policy Management Yes Yes

Reporting Yes Yes

Overall Functionality Medium High

Overall Design Complexity Medium High

No DMZ WLC

PI

LAN

Internet

VRF

Deployment Options Summary


29/86

Securing Guest with FlexConnect

Fle Connect and E ternal WebA th


30/86


FlexConnect and External WebAuth

Branch

WAN

URL/ACL

URL/ACL

Radius

Auth

Radius AuthWebauth

VLAN Assignm

ISE for external webauth w

central authentication with l

Guest client is provided withto ISE

Clients does webauth with I

Guest moves to local switch

Guest with FlexConnect


31/86


WLC - Virtual Controller (FlexConnect Mode)

DMZ VLAN

Anchor Controller

ASA Firewall

Cisco 3750 Switch


Active Directory Server

Certificate Authority Server

Internet

Corporate

Intranet

EOIPTunnel

Branch VLAN

AP

Guests

Corporate

Identity Branch O

Guest with FlexConnect

CWA on Wireless Controllers


32/86


CWA on Wireless Controllers

GuestContractor

Blocking non-HTTP/DHCP/DNS Traffic Access Point

ISE

Guest-SSID

WLC

AD / CA

MAB

Default Policy

ISE Guest DB

Redirect ACL&

URL Redirect

Foreign ControllerStep-by-Step


33/86


Pre-Requisites



34/86


Configure

Interfaces

Configure

Mobility Group Members

1

2



35/86


Configure

Interfaces

Configure


Configure WLAN

Configure Mobility Anchors

1

2

3

4

10

Anchor ControllerStep-by-Step


36/86


Pre-Requisites Allow A

CWA (U

NOT Required



37/86


Configure

Interfaces

Configure


1

2



38/86


Configure

Interfaces

Configure


Configure WLAN

Configure Mobility Anchors

1

2

3

4

Review Wireless CWA Config


39/86


CWASession FlowISE Server


40/86


Foreign WLCISE Server

Anchor WLC

Guest SSID

EoIP Tunnel10.1.100.61/ 00:50:56:B0:01:0E 10.10.20.5/ D0:c2:82:dd:88:00



41/86


Foreign WLCS Se e

Anchor WLC

User Open Browser




42/86


Foreign WLCAnchor WLC

User Open Browser



43/86

Guest Services Portal

When to Use Web-Authentication ?


44/86


SSC

Employee(bad credentia

Web Auth is a supplementaryauthentication method

Most useful when users cant perform or pass 802.1X

Primary Use Case: Guest Access

Secondary Use Case: Employee who fails 802.1X

802.1X

SSC

Employee

802.1XManaged 802.1X-devices

Known users

MAB(mac-address bypass)

Managed devices

Web AuthUsers without 802.1X d

Users with Bad crede

Guest

Guest Authentication Portal


45/86


Wireless Guest Authentication Portal is available in 4 mo

Customized (Downloaded Customized Web Pages) External Using ISE Guest Server

External (Re-directed to external server)

Internal (Default Web Authentication Pages)

Wireless Guest Authentication Portal


46/86


Wireless Guest Authentication PortalInternal Web Portal

Wireless guest user associates to

the guest SSID

Initiates a browser connection to

any website

Web login page will displayed

Fixed We

Login Cr



47/86


Create your own Guest Access Portal web pages

Upload the customized web page to the WLC

Configure the WLC to use customizable web portal

Customized WebAuth bundle up to 5 Mb in size can conta

22 login pages (16 WLANs , 5 Wired LANs and 1 Global)

22 login failure pages

22 login successful pages

Customizable Web Portal



48/86


External Web Portal

Set in WLC > Security >

WebAuth > Login

Or override at Guest WLAN

Option to use Pre-Auth

ACL

Wireless Guest


49/86


1) Administrator Creates WLAN Login Pageon ISE

2) Wireless Guest Opens Web browser

3) Web traffic is intercepted by WirelessLAN Controller and redirected to GuestServer.

4) Guest Server returns centralized loginpage

(2)

(4)AP WLC

(3)Redirect

Centralized Login Page


50/86

Guest Services Provisioning

Requirements for Guest Provisioning


51/86


Might be performed by non-IT user

Must deliver basic features, but might also requadvanced features:

Duration,

Start/End Time,

Bulk provisioning, Provisioning Strategies :

Lobby Ambassador

Employees

Multiple Guest Provisioning Services


52/86


Cisco Guest Access Solution support several provisioning tools

different feature richness.

CiscoWLC

Basic Provisioning

Cisco Prime InfrastructureAdvanced Provisioning

Cisco


Dedicated Provisioning

Cust

CustoIncluded in Cisco Wireless LAN Solution

Additional Cisco Product

Cus

Guest Provisioning Service : WLC


53/86


Lobby Ambassador accounts can be created directly on W

Controllers

Lobby Ambassadors have limited guest feature and must c

user directly on WLC:

Create Guest Userup to 2048 entries

Set time limitationup to 35 weeks

Set Guest SSID

Set QoS Profile

Cisco Wireless LAN Controller

Guest Provisioning Service


54/86


Lobby administrator can be created in WLC directly

Create the Lobby Admin in WLC

Local WLC Guest Management


55/86


Password i

Quickly Create Guest

with Time and WLAN

Profile

Guest Provisioning Service : PI


56/86


Cisco Prime Infrastructure offers specific Lobby Ambassad

for Guest management only

Lobby Ambassador accounts can be created directly on PI,

defined on external RADIUS/TACACS+ servers

Lobby Ambassadors on PI are able to create guest accoun

advanced features like:

Start/End time and date, duration,

Bulk provisioning,

Set QoS Profiles,

Set access based on WLC, Access Points or Location

Cisco Prime Network Control System

Guest Provisioning ServiceL bb A b d F t i Ci P i


57/86


Associate the lobby admin with Profile and Location specific info

Lobby Ambassador Feature in Cisco Prime

Guest Provisioning ServiceAdd G t U ith PI


58/86


Add a Guest User with PI

Guest Provisioning ServicePrint/E-Mail Details of Guest User


59/86


Print/E Mail Details of Guest User

Guest Provisioning ServiceSchedule a Guest User


60/86


Schedule a Guest User


61/86

Cisco TrustSec Guest Services

Cisco ISE Guest ServerGuest User Creation

Lobby AmbaEmployee Sponsor


62/86


1. Sponsor creates Guest Account

through dedicated ISE server

2. Credentials are delivered to Guestby print, email or SMS

3. Guest Authentication on Guest portal

4. RADIUS Request from WLC to

Cisco ISE Server

5. RADIUS Response with policies

(session timeout, )

6. RADIUS Accounting with session

information (time, login, IP, MAC, )

7. Traffic can go through

Guest User Creation

CorporateNetwork

WirPolicy

Guest

GuestVisitor, Contractor, Customer

ISE Lobb

Gues

Mon

RADIUS Requests

2

3

4

5

6

7

RADIUS

Accounting

Web Auth and Guest Access


63/86


WLC 7.0Supports LWA; 7.2adds CWA support

ISE Guest Services requiresaccount activation; Initial webauth must be against ISEguest portal (LWA or CWA). Asa result

o Requires ISE be the web authportal for LWA; No support forhosting guest portal on WLC

o For anchor controllerdeployments, requires pinholethrough DMZ firewall back toISE PSN on tcp/8443 fromguest IP address pool.

Wireless Considerations

LWA vs CWA piggybacks on MAB authentication policy rule

Web Auth and Guest Access


64/86


LWA vs CWA piggybacks on MAB authentication policy rule.Configure:

If User Not Found = Continue (default Reject)

If MAC address lookup fails, reject the request andsend access-reject.

If MAC address lookup returns no result, continue

the process and move to authorization

URL Redirection


65/86


Redirect URL: For CWA, Client Provisioning, and Posture, Ureturned as a Cisco AV-pair RADIUS attribute.

Ex: cisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

Redirect ACL:Access devices must be locally configured withat specifies traffic to be permitted (= redirected) or denied (redirection)

ACL value returned as a named ACL on NADEx: cisco:cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRE

ACL entries define traffic subject to redirection (permit) and traffic toredirection (deny)

Port ACL:ACL applied to the port (default ACL, dACL, namethat defines traffic allowed through port prior to redirection

Central Web Auth, Client Provisioning, Posture

Common URLs for Redirection
http://www.youtube.com/watch?v=-3quWNKB6w8&feature=player_embeddedhttp://www.meridian-apps.com/app_demohttp://www.meridian-apps.com/editor_demohttp://www.meridian-apps.com/editor_demohttp://www.meridian-apps.com/app_demohttp://www.youtube.com/watch?v=-3quWNKB6w8&feature=player_embedded


66/86


URL Redirect for Central Web AuthCisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue

URL Redirect for Client Provisioning and Posture

Cisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue

URL Redirect ACLCisco:cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRE

LWA URL for Default ISE Guest Portal:https://ip:8443/guestportal/portal.jsp

LWA URL for Custom ISE Guest Portal:

https://ip:8443/guestportal/portals/ClientPortalName/portal.jsp CWA URL redirect for Custom ISE Guest Portal:

Cisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?portal=ClientPortalName&=SessionIdValue&action=cwa

ISE Sponsored GuestsSponsor Portal


67/86


Customizable WebPortal for Sponsors as

well

Authenticate Sponsorswith corporatecredentials

Local Database

Active Directory

LDAP

RADIUS

Kerberos

Guest Portal Localization

Several Languages are


68/86


Several Languages are

Supported

Natively in ISE 1.1

All guest user pages aretranslated:

Authentication page

Acceptable usage policy

Success/failure page


69/86

ISE Self-Registration


70/86

2013 Cisco and/or its affiliates All rights reservedBRKEWN-2013 Cisco Public

4. Guest is re-directed again to login again with auto generated username

5. Guest is provisioned with Authorization

Policy for Web Access Only

6. Acc

via sett

GUEST

Identity Store

Internet

ISE Guest User Portal Settings


71/86


Guest Portals define what

Guests Users will be

allowed to perform

Guests can changepassword

Guests change password

at first login

Guests can be allowed to

download the posture

client

Guests can do self service

Guests can be allowed to

do device registration

Cisco ISE Guest ServerSponsor Authentication: Local Account/AD


72/86


Integrate with Active Directory

Order Priority Sequence to AD > Internal

Assign u

Cisco ISE Guest ServerGuest Portal Customization


73/86


Multi-Portal Policies

Password Policy

Time Profiles

Cisco ISE Guest ServerSponsor Portal


74/86


https://:8443/sponsorportal/

Cisco ISE Guest Server

SponsorGuest Account Creation


75/86


Personal Settings

Create/View/Modify

Guest Accounts

Tools to Manage

Guest Accounts

Email / Print / SMS


76/86

Guest Monitoring, Reporting andTroubleshooting

Live Guest Verification - ISE

Monitor > Operations > Authentications window will show al


77/86


Monitor > Operations > Authentications window will show al

Authentications including Guests

Identity and Authorization can be found for Guests

Guest Monitoring - PI

Monitor > Clients and Users window will show all Authenticatio

Guests


78/86


Guests

Identity and Authorization can be found for Guests

Guest Activity Reporting - ISE


79/86


Guest Reports

Drill Down Guest Detail

Guest Activity Reporting - PI


80/86


Customized Profile and

Scheduling

Variable Reporting

Periods


81/86

Summary

What We Have Covered


82/86


What Guest Access Services are made of.

The need for a secured infrastructure to support isolated Gue

Unified Wireless is a key component of this infrastructure.

The Guest Service components are integrated in Cisco Wired

Solution.

Securing FlexConnect is simple to understand and configure

Guest Access is one of the User Access Policy available to C

Protect enterprise Borderless Network

Cisco TrustSec enhances Guest Services overall.

BRKEWN-2013Recommended Reading


83/86


Call to Action


84/86


Visitthe Cisco Campus at the World of Solutionsto experience Cisco innovations in action

Gethands-on experience attending one of the Walk-in Labs

Schedule face to face meeting with one of Ciscos enginee

at the Meet the Engineer center

Discussyour projects challenges at the Technical Solution


85/86



86/86

Wireless Guest Access

Documents

Transcript of Wireless Guest Access