© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-201614498_04_2008_c2 2
Designing Guest Access with the Cisco Unified Wireless Network
BRKAGG-2016
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and Requirements
Guest Access in the Campus1. Access Control
2. Path Isolation
3. Services Edge
Unified Wired and Wireless Guest Access
Cisco NAC Guest Server
Guest Access Use Cases
Q&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKAGG-201614498_04_2008_c2
Drivers for Guest Network Access
Visitor Access for VPN
Providing a Positive Visitor Experience
Streamlining IT Management and Control
GuestAccess
Internet Access for Customers
Contractor Secured Internal Network
Access
On-Site Vendor Demos
Segmenting Visitors from Subsidiaries
Network Integrity and Security
Customized Access
Simplified Network Design
Cost-Effective Deployment and
Operations
Balancing the Needs of Guest Users and IT Departments
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKAGG-201614498_04_2008_c2
The Challenge of the “Guest” User
Guest traffic should be segregated from the internal network
Limited internal network access must be extended to guest securely
“Guest network” must be cost-effective and non-disruptive
Must not require guest desktop software or configuration
Data Center
Internal Network
VisitorVendor,
Contractor, etc.
Internet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKAGG-201614498_04_2008_c2
Types of Network Users
CorporateEmployees
• Need internal network access
• Can be role based to allow granular access if needs require
• Need restricted internal access
• Printers
• File shares
• Specific applications
• Device support
Contractors/Consultants
GuestsUsers
• Internet access only
• No need to access internal systems
• Segment access completely
FullAccess
InternetOnlyCisco Guest Services Give You Control
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKAGG-201614498_04_2008_c2
Network Virtualization Functional Architecture
Authenticate client (user, device, app) attempting to gain network access
Authorize client into a Partition (VLAN, ACL)
Deny access to unauthenticated clients
Access Control Path Isolation Services Edge
WAN—MAN—Campus
Functions
Branch—Campus Data Center—Internet Edge—Campus
VRFs
GRE MPLS
Maintain traffic partitioned over Layer 3 infrastructureTransport traffic over isolated Layer 3 partitions
Map Layer 3 Isolated Path to VLANs in Access and Services Edge
Provide access to services:
SharedDedicated
Apply policy per partitionIsolate Application environments if necessary
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access ControlWired ClientsWireless Clients
2. Path Isolation3. Services Edge
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKAGG-201614498_04_2008_c2
Access ControlWired Clients
Static guest VLANconfiguration
Ports may end up being underutilized
802.1x guest VLAN Allows clients not equipped with 802.1x supplicant access to the network
802.1x auth-failed VLANAllows clients failing 802.1x authentication access to the network
802.1x features tested with Windows embedded 802.1x supplicant and Cisco Secure Services Client (CSSC)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKAGG-201614498_04_2008_c2
Access Control802.1x Guest VLAN
Any 802.1x-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)
A device is only deployed into the guest VLAN based on the lack of response to the switch’s EAP-Request-Identity frames (which can be thought of as 802.1x hellos)
No further security or authentication to be applied; it’s as if the administrator de-configured 802.1x, and hard-set the port into the specified VLAN
Client802.1x
Process
EAP-Identity-RequestD = 01.80.c2.00.00.03
EAP-Identity-RequestD = 01.80.c2.00.00.03
EAP-SuccessD = 01.80.c2.00.00.03
2
3
Upon link up
30-seconds
30-seconds
Note: The Timer Values Displayed Above Are the Default and Can Be Tuned
XX EAP-Identity-Request
D = 01.80.c2.00.00.03
4
30-seconds
X
1
Port Deployed into the
Guest VLAN
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKAGG-201614498_04_2008_c2
Access Control802.1x Guest-VLAN Parameters
The configurable values for the parameters are:
Configuring the minimum values, a switch port can be deployed into the guest VLAN in two seconds
max-reauth-req 1–10tx-period 1–65535 sec.
Cisco Catalyst 2950: 12.1(22)EA5Cisco Catalyst 3560: 12.2(25)SEECisco Catalyst 3750: 12.2(25)SEECisco Catalyst 4500: 12.2.(31)SGCisco Catalyst 6500 (CatOS): 8.1(1)
Minimum SW VersionRequired for Consistency
set vlan 2 2/1set port dot1x 2/1 port-control autoset port dot1x 2/1 guest-vlan 10set spantree portfast 2/1 enableset dot1x max-req 1set dot1x tx-period 1
interface FastEthernet0/1switchport access vlan 2switchport mode accessdot1x port-control autodot1x timeout tx-period 1dot1x max-reauth-req 1dot1x guest-vlan 10spanning-tree portfast
Cisco IOS CatOS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKAGG-201614498_04_2008_c2
Access Control802.1x Auth-Fail VLAN
The authenticator (access switch) counts the failed authentication attempts for the clientWhen this count exceeds the configured maximum number of authentication attempts (default is 3), the port is deployed into the auth-fail VLANAt that point the client can pull an IP address and gain network connectivity
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKAGG-201614498_04_2008_c2
Access ControlDeploying 802.1x Auth-Fail VLAN
In a guest access scenario, auth-fail VLAN should be configured with the same value of guest VLAN
Allows visitors to get network access independently from the support of 802.1x on their machine
set vlan 2 2/1set port dot1x 2/1 port-control autoset port dot1x 2/1 guest-vlan 10set port dot1x 2/1 auth-fail-vlan 10set spantree portfast 2/1 enable
interface FastEthernet0/1switchport access vlan 2switchport mode accessdot1x port-control autodot1x guest-vlan 10dot1x auth-failed vlan 10spanning-tree portfast
Cisco IOS CatOS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKAGG-201614498_04_2008_c2
Access Control End-to-End Wired Traffic Isolation
The factVLAN isolation ceases to exist once we reach the first L3 hop (usually the Distribution Layer device)
The challenge How to provide end-to-end guest traffic isolation, allowing Internet access but preventing any other communications?
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access ControlWired ClientsWireless Clients
2. Path Isolation3. Services Edge
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKAGG-201614498_04_2008_c2
Access Control Wireless Clients
How does a wireless user connect to the network?
Associate to the access point using an SSIDFor each defined SSID we can have a different authentication method (EAP type)
Guest user associates using to Open Guest SSID
Easiest deployment, no configuration required on the client side
SSID—Service Set Identifier
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKAGG-201614498_04_2008_c2
Access Control Standalone AP Deployments
Use of a 802.1Q trunk for switch to AP connection to carry all the defined VLANs (one VLAN per SSID)Isolation of guest traffic in the L2 domain using a dedicated guest VLAN associated to the guest SSIDTraffic isolation provided by VLANs is valid up to the first L3 hop device
Distribution layer (Multilayer Campus design)Access layer (Routed Access Campus design)
WirelessVLANs
Campus Core
Guest Emp Guest Emp
EmpGuest EmpGuest
SSIDs SSIDs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKAGG-201614498_04_2008_c2
Access Control Standalone AP Deployments
Access Point Access Layer Switch Distribution Layer Switch
Define a Trunk Between AP and
Access Layer Switch
dot11 vlan-name Emp vlan 3dot11 vlan-name Guest vlan 4!dot11 ssid Employeevlan 3authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa!dot11 ssid Guestvlan 4authentication open guest-mode!interface Dot11Radio0no ip addressno ip route-cache! encryption vlan 10 mode ciphers tkip!ssid Employee!ssid Guest
vlan 2name AP_Mgmt!vlan 3name Employee_VLAN!vlan 4name Guest_VLAN!interface FastEthernet0/1description Trunk to APswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 2,3,4switchport mode trunk
vlan 2name AP_Mgmt
!vlan 3name Employee_VLAN
!vlan 4name Guest_VLAN
!interface Vlan2description AP_Mgmtip address 10.10.2.1 255.255.255.0
!interface Vlan3description Employee_VLANip address 10.10.3.1 255.255.255.0
!interface Vlan4description Guest_VLANip address 10.10.4.1 255.255.255.0
Map SSIDs to VLANs Locally on the AP
SVIs for Each SSID are Defined on First L3
Hop Device
SVI—Switched Virtual Interface
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKAGG-201614498_04_2008_c2
Access Control Cisco WLAN Controller Deployments
LWAPP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)
Same LWAPP tunnel used for data traffic of different SSIDs
Control and data traffic tunneled to the controller via LWAPP: data uses UDP 12222, control uses UDP 12223
Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID
Traffic isolation provided by VLANs is valid up to the switch where the controller is connected
Campus Core
LWAPP LWAPP
WiSM WLAN Controller
Guest Emp Guest EmpLWAPP—Lightweight Access Point Protocol
WirelessVLANs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKAGG-201614498_04_2008_c2
Access Control WLAN Controller Deployments
vlan 2name AP_Mgmt
!interface FastEthernet0/1description link to APswitchport access vlan 2switchport mode access
Access Layer Switch
vlan 3name Employee_VLAN
!vlan 4name Guest_VLAN!interface Vlan3description Employee_VLANip address 10.10.3.1 255.255.255.0
!interface Vlan4description Guest_VLANip address 10.10.4.1 255.255.255.0
!interface GigabitEthernet1/0/1description Trunk Port to Cisco WLCswitchport trunk encapsulation dot1qswitchport trunk native vlan 2switchport trunk allowed vlan 2-4switchport mode trunkno shutdown
Cisco Catalyst Switch(Connected to WLAN Controller)
No Trunk Between AP and Access Layer Switch, Only
AP Mgmt VLAN Defined
SVIs Corresponding to Each SSID Are Defined Here
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKAGG-201614498_04_2008_c2
Access Control WLAN Controller Deployments
Create the employee and guest VLAN in the controller
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKAGG-201614498_04_2008_c2
Access Control WLAN Controller Deployments
Map the employee WLAN in the controller to the respective employee VLAN
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKAGG-201614498_04_2008_c2
Access Control WLAN Controller Deployments
Map the guest WLAN in the controller to the respective guest VLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKAGG-201614498_04_2008_c2
LWAPP
LWAPP
Standalone APLWAPP AP
LWAPP AP
Access Control End-to-End Wireless Traffic Isolation
The factVLAN isolation for standalone APs valid up to the first L3 hop
Traffic isolation achieved via LWAPP valid from the AP to the WLAN Controller (centralized deployment is recommended)
The challenge How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation
Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels
3. Services Edge
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKAGG-201614498_04_2008_c2
Path Isolation Why Do We Need It for Guest Access?
Extend traffic logical isolation end-to-end over L3 network domain
Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, etc.)
Securely transport the guest traffic across the internal network infrastructure
LWAPP
LWAPP
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKAGG-201614498_04_2008_c2
Path Isolation Distributed ACLs for Wired and Wireless Clients
Routed ACLs (RACLs) defined on the first L3 edge devices
Distribution Layer: Multilayer DesignAccess Layer: Routed Access Design
Apply to wired and wireless trafficFor hub-n-spoke connectivity
ip access-list extended Guest_RACL
10 permit udp any any eq bootps
20 permit udp any host <DNS-Svr> eq domain
30 permit tcp any host <web-auth-dev> eq www
40 deny ip any 10.0.0.0 0.255.255.255
50 deny ip any 172.16.0.0 0.15.255.255
60 deny ip any 192.168.0.0 0.0.255.255
70 permit ip any any
! Apply RACL to the SVI on the first L3 hop
interface Vlan50
description Wired-guest-floor1
ip address 10.124.50.2 255.255.255.0
ip access-group GUEST-RACL in
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKAGG-201614498_04_2008_c2
Path Isolation Distributed ACLs—Pros and Cons
ProsHW-based forwarding
Simple initial deployment
Similar ACEs on each edge device
Supports wired and wireless clients (independently also from wireless deployment)
ConsGuest traffic handled in the global routing table
Prone to config errors
IT departments uncomfortable with allowing guest traffic in the internal network (global table)
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation
Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels
3. Services Edge
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKAGG-201614498_04_2008_c2
Path IsolationDevice and Data Path Virtualization
Device VirtualizationControl Plane Virtualization
Data Plane Virtualization
Services Virtualization
Data Path VirtualizationSingle-hop
Multi-hop
VRFVRF
Global
IP
802.1q, DLCIVPI/VCI PW, VFI
Logical or Physical Int
(Layer 3)
Logical or Physical Int(Layer 3)
VRF—Virtual Routing and Forwarding
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKAGG-201614498_04_2008_c2
Path Isolation VRF-Lite and GRE Tunnels
Hub-and-spoke overlay network
Point-to-point GRE interfaces on each spoke (spoke-to-spoke communication not required)
Point-to-point or multipoint GRE on the hub
Routing protocol (EIGRP or OSPF) running in the context of Guest VRF
Default-route only for the spokes
Hub knows all the remote guest subnets
Preventing inter-subnet communication at the hub (when needed)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKAGG-201614498_04_2008_c2
Path Isolation Use of p2p GRE Technology (Hub and Spokes)
Hub Configurationip vrf guestrd 100:1!interface Tunnel0description GRE to spoke 1ip vrf forwarding guestip address 192.168.100.1 255.255.255.0no ip redirectstunnel source Loopback0tunnel destination 10.123.100.1!interface Tunnel1description GRE to spoke 2ip vrf forwarding guestip address 192.168.101.1 255.255.255.0no ip redirectstunnel source Loopback1tunnel destination 10.123.100.2
Spoke Configurationip vrf guestrd 100:1!interface Tunnel0description GRE to hub 1ip vrf forwarding guestip address 192.168.100.2 255.255.255.0tunnel source Loopback100tunnel destination 10.126.100.1!interface Tunnel1description GRE to hub 2ip vrf forwarding guestip address 192.168.200.2 255.255.255.0tunnel source Loopback200tunnel destination 10.126.200.1!interface Vlan10description Guest Subnetip vrf forwarding guestip address 10.10.10.1 255.255.255.0
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKAGG-201614498_04_2008_c2
Path Isolation Enabling a Routing Protocol
EIGRP
router eigrp 100
no passive-interface Tunnel0
no passive-interface Tunnel1
no auto-summary
!
address-family ipv4 vrf guest
network 172.32.1.0 0.0.0.255
no auto-summary
autonomous-system 100
exit-address-family
router ospf 1 vrf guest
log-adjacency-changes
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
network 172.32.1.0 0.0.0.255 area 0
OSPF
EIGRP Leverages Address-Families to
Enable Routing Across Different VRFs
OSPF Defines a Separate Process for Each Configured VRF
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKAGG-201614498_04_2008_c2
Path Isolation VRF-Lite and GRE Tunnels
ProsTrue routing and forwarding segmentation
Simplifies path differentiation (different default route used for employees and guests)
Supports wired and wireless clients (independently from the specific wireless deployment)
ConsLimited GRE support on Cisco Catalyst platforms
Limited scalability: recommended for hub-and-spoke deployments
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation
Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels
3. Services Edge
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKAGG-201614498_04_2008_c2
Path IsolationVRF-Lite End-to-End
VRF-lite on all routed hops: core and distribution
802.1q tags provide single hop data path virtualization
Every link is an 802.1q trunk
These trunks do not extend VLANs throughout the campus
Trunks used to virtualized data path between multiple virtual routers
Every physical link carries multiple logical routed links
Layer 3L2
L2
802.1q
Multi-VRF
802.1q Trunks
Routed HopsNot Bridged
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKAGG-201614498_04_2008_c2
Path IsolationVRF-Lite End-to-End
ProsTrue routing and forwarding segmentationSimplifies path differentiation (different default route used for employees and guests) Supports wired and wireless clients (independently from the specific wireless deployment)Widely supported across Cisco Catalyst platforms
ConsLimited scalability: recommended for a low number of VPNs (up to 10–12)Limited multicast support in the context of a VRF (6500 only)
Layer 3L2
L2
802.1q
Multi-VRF
802.1q Trunks
Routed HopsNot Bridged
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation
Distributed ACLsVRF-Lite and GRE TunnelsVRF-Lite End-to-EndEoIP Tunnels
3. Services Edge
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKAGG-201614498_04_2008_c2
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Use of EoIP tunnels to logically segment and transport the guest traffic between edge and anchor controllersOther traffic (employee for example) still locally bridged at the edge controller on the corresponding VLANNo need to define the guest VLANs on the switches connected to the edge controllersOriginal guest’s Ethernet frame maintained across LWAPP and EoIP tunnelsRedundant EoIP tunnels to the Anchor WLC2106 model can’t terminate EoIP connections (no anchor role)
Guest WLANController (Anchor)
Campus Core
EoIP“Guest Tunnel”
EoIP“Guest Tunnel”
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Path Isolation How to Do EoIP Tunneling
Specify a mobility group for each WLC
Open ports for:Inter-Controller Tunneled Client DataInter-Controller Control Traffic
Configure the mobility groups and add the MAC-address and IP address of the remote WLC
Create the Mobility Anchor for the Guest WLAN
Modify the timers in the WLCs
Check the status of the Mobility Anchors for the WLAN
ProsSimple configurationOverlay solution: no need to modify the network configuration
ConsSupport for wireless and wired (layer-2 adjacent) guest clients onlyLimited to WLAN Controllers wireless deployments
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKAGG-201614498_04_2008_c2
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Each WLC is part of a mobility group
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKAGG-201614498_04_2008_c2
Path Isolation Firewall Ports
Open ports for:Inter-Controller Tunneled Client Data IP Protocol 97
Inter-Controller Control Traffic UDP Port 16666 (or 16667, if encrypted)
Optional management/operational protocols:SSH/Telnet TCP Port 22/23
TFTP UDP Port 69
NTP UDP Port 123
SNMP UDP Ports 161 (gets and sets) and 162 (traps)
HTTPS/HTTP TCP Port 443/80
Syslog TCP Port 514
These Ports Must
be Open!
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKAGG-201614498_04_2008_c2
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Configure the mobility groups and add the MAC-address and IP address of the remote WLC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKAGG-201614498_04_2008_c2
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Create the mobility anchor for the guest WLAN
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKAGG-201614498_04_2008_c2
Path Isolation WLAN Controller Deployments with EoIP Tunnel
Modify the timers in the WLCs
Check the status of the mobility anchors for the WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKAGG-201614498_04_2008_c2
interface Ethernet0/1
nameif insidesecurity-level 100
ip address 10.10.60.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.10.51.1 255.255.255.0
!
access-list DMZ extended permit udp host 10.10.51.2 host 10.10.60.2 eq 16666
access-list DMZ extended permit udp host 10.10.51.2 host 10.10.60.2 eq 16667
access-list DMZ extended permit 97 host 10.10.51.2 host 10.10.60.2
!
global (dmz) 1 interface
nat (inside) 1 10.10.60.0 255.255.255.0
static (inside,dmz) 10.10.60.2 10.10.60.2 netmask 255.255.255.255
access-group DMZ in interface dmz
Path Isolation Sample Firewall Configuration
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKAGG-201614498_04_2008_c2
Show Commands(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mobile-10
Mobility Keepalive interval...................... 10
Mobility Keepalive count......................... 3
Mobility Group members configured................ 3
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Status
00:18:73:34:b2:60 10.10.75.2 mobile-9 Up
00:18:73:34:b3:00 10.10.76.2 mobile-9 Up
00:18:b9:ea:a7:20 10.10.80.3 <local> Up
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKAGG-201614498_04_2008_c2
Show Commands(Cisco Controller) >show mobility anchor 2Mobility Anchor Export List
WLAN ID IP Address Status
2 10.10.75.2 Up
2 10.10.76.2 Up
(Cisco Controller) >show mobility statistics
Global Mobility Statistics
Rx Errors .................................... 11591
Tx Errors .................................... 0
Responses Retransmitted ...................... 0
Handoff Requests Received .................... 0
Handoff End Requests Received ................ 8
State Transitions Disallowed.................. 0
Resource Unavailable.......................... 0
Mobility Initiator Statistics
Handoff Requests Sent ........................ 258
Handoff Replies Received ..................... 0
Handoff as Local Received .................... 0
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKAGG-201614498_04_2008_c2
Show Commands—Remote and Anchor WLC
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. N/A
AP MAC Address................................... 00:14:1b:59:3f:10
Client State..................................... Associated
Wireless LAN Id.................................. 1
BSSID............................................ 00:14:1b:59:3f:1f
Channel.......................................... 64
IP Address....................................... Unknown
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... 5
Client E2E version............................... No E2E support
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Foreign
Mobility Anchor IP Address....................... 10.10.75.2
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest-vlan
VLAN............................................. 60
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. guest1
AP MAC Address................................... 00:00:00:00:00:00
Client State..................................... Associated
Wireless LAN Id.................................. 2
BSSID............................................ 00:00:00:00:00:01
Channel.......................................... N/A
IP Address....................................... 10.10.77.48
Association Id................................... 0
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.50.2
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest
VLAN............................................. 77
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKAGG-201614498_04_2008_c2
Path Isolation WLAN Controller Deployments with EoIP Tunnel
EoIP tunnels transport guest traffic between edge and anchor controllers
Original guest’s Ethernet frame maintained across LWAPP and EoIP tunnels
ProsSimple configuration
Overlay solution: no need to modify the network configuration
ConsSupport for wireless guest clients only
Limited to WLAN controllers wireless deployments
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and Requirements
Guest Access in the Campus1. Access Control
2. Path Isolation
3. Services Edge
Unified Wired and Wireless Guest Access
Cisco NAC Guest Server
Guest Access Use Cases
Q&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKAGG-201614498_04_2008_c2
Services EdgeGuest Network Services
Guest Default Route
Global Default Route
Providing network services to guest users in a centralized locationDedicated DHCP ad DNS services still controlled by the host organization
DNS services offered by external serverDHCP services offered by external server or web-auth appliance
Separate FW dedicated to Guest
FW in routed mode: NAT/PAT to return traffic through the proper FWFW in transparent mode: static routes required on Internet router
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKAGG-201614498_04_2008_c2
Web-Authentication for Guest UsersTechnical Requirements
Common web-authentication system for wired and wireless clients
Deployed in a centralized fashion: authentication and authorization on a centralized in-band device
Record the activity of guest users while connected to the Enterprise network
Force the acceptance of Enterprise legal disclaimer before getting Internet connectivity
Used for billing purposes (in some cases)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKAGG-201614498_04_2008_c2
IT Admin Function
Guest User Function
Employee Function
IT Admin Functions
Components of a Guest Access Solution
NetworkSegmentation
UserProvisioning
UserLogin Portal
Reporting,Billing
User PolicyManagement
Tunnels or VLANs
Differentiated access by user
Guest
Guest provisioning web portal
Guest user intercept web auth portal
Audit trailsBilling integration
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation3. Services Edge
Network SegmentationUser ProvisioningUser Login PortalReporting/Billing
Unified Wired and Wireless Guest AccessGuest Access Use CasesQ&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKAGG-201614498_04_2008_c2
Network Segmentation
Using EoIP Pings (data path) functionality Anchor WLC reachability will be determinedForeign WLC will send pings at configurable intervals to see if Anchor WLC is aliveOnce an Anchor WLC failure is detected a DEAUTH is send to the clientRemote WLC will keep on monitoring the Anchor WLCUnder normal conditions round-robin fashion is used to balance clients between Anchor WLCs
Campus Core
EtherIP“Guest Tunnel”
EtherIP“Guest Tunnel”
LWAPP LWAPP
Internet
Guest Secure Guest Secure
Secure Secure
WirelessVLANs
Guest VLAN 10.10.60.x/24Management 10.10.80.3
Management10.10.75.2
Management10.10.76.2
F1
A1 A2
Primary LinkRedundant Link
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKAGG-201614498_04_2008_c2
Guest Network Bandwidth Contracts
Specify bandwidth limitations and policies by individual user or groupAbility to allocate resources by specific job function or throughput requirementsOrganization’s overall network performance is enhancedIncreased granularity and control improves network security
Guest Emp
WirelessVLANs
Campus Core
LWAPP LWAPP
Internet
SiSi
SiSiEmp
SiSi
Anchor Controller
Guest Emp
Emp
WLC
Accounting Contractor: (Best Effort)
Network Admin Contractor:
4Mbps (High Speed)
SSID = ACCT SSID = CONTRACTOR
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation3. Services Edge
Network SegmentationUser ProvisioningUser Login PortalReporting/Billing
Unified Wired and Wireless Guest AccessGuest Access Use CasesQ&A
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKAGG-201614498_04_2008_c2
Web-based multi-device managementDesigned for more feature-rich and multiple controller deploymentsFull-featured user schedulingProvision users by physical area
Web-based management GUI served from WLAN ControllerDesigned for small, single Controller deploymentsBasic user scheduling
User Policy Management Options
Versatile Management for Any Deployment Environment
Integrated Device Management Cisco Wireless Control System
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKAGG-201614498_04_2008_c2
Services Edge Create the Lobby Admin in WLC
Lobby administrator can be created in WLC directlyCampus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WLC
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKAGG-201614498_04_2008_c2
Services Edge Add a “Guest” User on the WLC
Guest User List New
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKAGG-201614498_04_2008_c2
Bandwidth policies can be created in WCS using Controller Templates under
Configure --> Controller Templates --> System --> User Roles
Services Edge Creating the Bandwidth Contract
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKAGG-201614498_04_2008_c2
Services Edge Lobby Ambassador Feature in WCS
User created in WCS with Lobby Ambassador (LA) privilege
Lobby Ambassador user logs into the WCS to create guest user accounts
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKAGG-201614498_04_2008_c2
Services Edge Lobby Ambassador Feature in WCS
Associate the lobby admin with some default information
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKAGG-201614498_04_2008_c2
Services Edge Add a Guest User
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKAGG-201614498_04_2008_c2
Services Edge Print/E-Mail Details of Guest User
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKAGG-201614498_04_2008_c2
Services Edge Schedule a Guest User
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKAGG-201614498_04_2008_c2
Services Edge Details About the Guest User(s)
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation3. Services Edge
Network SegmentationUser ProvisioningUser Login PortalReporting/Billing
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKAGG-201614498_04_2008_c2
How to Implement User Login Portal
Simple and CustomizableUpload an HTML file from the Wireless Control System (WCS) to the WLAN Controller The login portal is then served from WLAN Controller or external server
Additional ConsiderationsTo help reduce help desk calls:
–Login failure message portal–Logout verification message portal
WirelessVLANSs
Campus Core
LWAPP LWAPP
Internet
SiSi
SiSi SiSiEmp Emp
Guest Emp Guest Emp
WLCWCS
Guest
Guest WirelessClient
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKAGG-201614498_04_2008_c2
Services Edge Web Portal—Internal to WLC
Internal web login page in WLCCampus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
GuestWLC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKAGG-201614498_04_2008_c2
Services Edge Web Portal—External Web Server
Web portal in an external web serverCampus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
EternalWeb Server WLC
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKAGG-201614498_04_2008_c2
Services Edge Configuring Customized WebAuth in WCS
Download a sample copy of the customized webauth page from WCS
Customize the webauth page as per your requirements
Upload the newly customized webauth page to the Anchor WLC
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKAGG-201614498_04_2008_c2
Services Edge Configuring Customized WebAuth in WCS
Upload the customized web page to the Anchor WLCCustomized webauth bundle can contain
22 login pages (16 WLANs and 5 Wired LANs)22 login failure pages (in WCS 5.0)22 login successful pages (in WCS 5.0)
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKAGG-201614498_04_2008_c2
Services Edge Sample Customized WebAuth in WCS
Sample webauth bundle with customized login.html, logout.html and loginfailure.html file
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKAGG-201614498_04_2008_c2
Services Edge Using the Customized WebAuth files in WLC
Select the login.html, logout.html and loginfailure.html file in the WLAN configuration of the WLC
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKAGG-201614498_04_2008_c2
Services Edge Guest User Database—Internal
Configure the local internal database of the WLC
2048 usernames can be stored in the database per WLC
Guest usernames are deleted automatically after the activity period
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
GuestWLC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKAGG-201614498_04_2008_c2
Services Edge Guest User Database—External RADIUS
External RADIUS server can be used to store guest usernames and passwords
Change the WLAN configuration to check the external RADIUS server for authentication
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
RADIUSServer WLC
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKAGG-201614498_04_2008_c2
Services Edge Web Login Page on the Client
Wireless guest user associates to the guest SSID
Initiates a browser connection to any website
Web login page will displayedCampus
Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS WLC
Guest WirelessClient
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and RequirementsGuest Access in the Campus
1. Access Control2. Path Isolation3. Services Edge
Network SegmentationUser ProvisioningUser Login PortalReporting/Billing
Unified Wired and Wireless Guest AccessCisco NAC Guest ServerGuest Access Use CasesQ&A
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKAGG-201614498_04_2008_c2
Guest User Log—Anchor Controller(WiSM-slot1-2) >config msglog level verbose
(WiSM-slot1-2) >show msglog
Message Log Severity Level ...................... VERBOSEFri Nov 3 15:08:06 2006 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'admin'Fri Nov 3 15:07:01 2006 [VERBOSE] pem_api.c 5839: Guest user logged out with user account (guest123) MAC Addr 00:40:96:ad:12:39 IP Address
172.20.225.149Fri Nov 3 15:06:11 2006 [VERBOSE] pem_api.c 5761: Guest user logged in with user account (guest123) MAC Address 00:40:96:ad:12:39 IP Address
172.20.225.149Fri Nov 3 15:06:11 2006 [SECURITY] aaa.c 666: Authentication succeeded for net work user 'guest123'Fri Nov 3 15:05:30 2006 [VERBOSE] apf_foreignap.c 1075: Guest user with MAC Address 00:40:96:ad:12:39 assigned IP Address 172.20.225.149
SYSLOG Server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKAGG-201614498_04_2008_c2
Audit Trail in WCS
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKAGG-201614498_04_2008_c2
Wireless Guest Access—Deployment Options
EoIP
DMZ WLC
WCS
WCS
Internet
LAN LAN
Internet
LAN
Internet
Cisco Standalone APs
Cisco Unified Wireless—No
DMZ Controller
Cisco Unified Wireless—
DMZ ControllerProvisioning Portal No Yes YesUser Login Portal No Yes Yes
Traffic Segmentation VLANs thru Network
VLANs thru Network
Yes—Tunnels or VLANs
User Policy Management No Yes YesReporting No Yes YesOverall Functionality Low Medium HighOverall Design Complexity Medium Medium Low
Standalone No DMZ WLC DMZ WLC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and Requirements
Guest Access in the Campus
Unified Wired and Wireless Guest Access
Cisco NAC Guest Server
Guest Access Use Cases
Q&A
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKAGG-201614498_04_2008_c2
Unified Wired and Wireless Guest Access
Controller software version 4.2 and above provides one unified solution for both wired and wireless guest access
Allows organizations to leverage existing wireless infrastructure to provide guest access on the LAN
Universal provisioning interface and captive portal provides ease of guest user provisioning and consistent network access
Enables the ability to leverage common guest user policies for both wired and wireless network access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKAGG-201614498_04_2008_c2
Unified Wired and Wireless Guest Access
WirelessVLANs
Campus Core
EtherIP“Guest
Tunnel”
EtherIP“Guest Tunnel”
LWAPP LWAPP
Internet
Secure Secure
Guest Secure Guest SecureWired Client
Layer-2 Switch
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKAGG-201614498_04_2008_c2
Wired Guest Access Deployment Requirements
Five guest LANs for wired guest access will be supported
Admin can create wired guest VLANs on the WLC and associate it with the guest LAN
Web-auth will be the default security on a wired guest LAN, but open and web pass-thru is also supported
No L2 security is supported, like 802.1x
Multicast and broadcast traffic will be dropped on wired guest VLANs
Wired guest access will be supported on a single guest WLC scenario or Anchor-Foreign Guest WLC scenario
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKAGG-201614498_04_2008_c2
Wired Guest Access Supported Platforms
Cisco 4400 Wireless LAN Controller
Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
Cisco Catalyst 3750G Integrated Wireless LAN Controller
Wired Guest Access Is Supported in the Following Platforms:
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKAGG-201614498_04_2008_c2
Wired Guest Access Deployment Requirements
Wired guest plugs into specified guest port (i.e. in EBC, guest cube, training center, etc.)Create a Layer 2 VLAN on the access layer switch
cat6506#sh vlan id 49
VLAN Name Status Ports
----------------------------------------------------------------------------
49 VLAN0049 active Gi2/1, Gi2/2, Gi2/4, Gi2/35
Gi2/39, Fa4/24
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
--------------------------------------------------------------------
49 enet 100049 1500 - - - - - 0 0
interface FastEthernet4/24
description Wired Guest Access
switchport
switchport access vlan 49
no ip address
end
interface GigabitEthernet2/4
description Trunk port to the WLC
switchport
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,4,49
switchport mode trunk
no ip address
end
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKAGG-201614498_04_2008_c2
Wired Guest Access Deployment Requirements
Create a dynamic interface as guest LAN which will be the ingress interfaceDHCP server information is not requiredDHCP server information is required on the egress dynamic interface
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKAGG-201614498_04_2008_c2
Wired Guest Access Config
Create the wired guest LAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKAGG-201614498_04_2008_c2
Wired Guest Config
Assign the ingress and egress interface
Ingress interface is the wired guest LAN
Egress interface could be the management or any dynamic interface
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKAGG-201614498_04_2008_c2
Wireless and Wired Guest Config
Wireless and wired guest WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and Requirements
Guest Access in the Campus1. Access Control
2. Path Isolation
3. Services Edge
Unified Wired and Wireless Guest Access
Cisco NAC Guest Server
Guest Access Use Cases
Q&A
New!
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKAGG-201614498_04_2008_c2
Cisco NAC Guest Server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKAGG-201614498_04_2008_c2
Access Network Enforcement
Guest Lifecycle Management
Cisco’s Unified Guest Access Solution
User
Sponsor
Secure Catalyst Switch
Access Point Wireless LAN
Controller
NAC Appliance
NAC Guest Server
New!
Cisco WCS
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKAGG-201614498_04_2008_c2
NAC Guest Server Overview
NAC guest server appliance provides integrated guest access provisioning, management, and reporting
Part number: NAC3310-GUEST-K9
Purpose-built appliance that is easy to deploy and simple to manage and use
Integrates seamlessly with NAC and WLC deployments for wired or wireless guest access
Provides an advanced guest access feature set
Allows easy and secure creation of guest user accounts
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKAGG-201614498_04_2008_c2
Cisco Wireless Guest Access Solutions
Cost
NACGuest Server
Enhanced, Enterprise-Grade
Guest Provisioning
Wireless LANControllers using Integrated
WLC Management
Func
tiona
lity
Advanced Guest Provisioning &
Reporting
Basic, Small Deployment
Wireless LANControllers
Cisco WCS
Wireless LANControllers
Increased Guest User Security & ControlNAC ApplianceAdd to AnyGuest Deployment
New!
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKAGG-201614498_04_2008_c2
Cisco Wired Guest Access Solutions
NACGuest ServerWireless LAN
ControllersCisco WCS
Advanced Guest Provisioning & Reporting
NAC Guest Server New!
NACAppliance
Increased Guest User Security & Control
NAC Appliance
Deploying NAC-based approach natively includes:
Advanced Guest Provisioning & ReportingIncreased Guest User Security & Control
New!
Cost
Func
tiona
lity
Dynamic Wired Port
DeploymentStatic Wired Port
Deployment
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKAGG-201614498_04_2008_c2
Adding NAC Guest Server to WLAN Controller Deployment
Provisioning personnel creates profile in NGS appliance
Guest connects to “guest” SSID and authenticates to the captive portal provided by the WLC
Guest credentials are stored on NGS; WLC performs checks credentials via RADIUS to NGS
DMZ WLANController
Campus Core
EtherIP“Guest Tunnel”
EtherIP“Guest Tunnel”
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
NAC GuestServer
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKAGG-201614498_04_2008_c2
NAC Guest Server Admin Interface
Admin portal is required to configure the deviceTo access Admin portal use http(s)://ip.addr/admin
Main Page After Logging In
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKAGG-201614498_04_2008_c2
Sponsor Authentication: Local Account/AD
The sponsor account can be a local user in NGS or Active Directory Account
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKAGG-201614498_04_2008_c2
Guest Policy: Username/Password Policy
Username Policy1. E-mail address2. First and last name3. Alphabetic, numeric
and special characters
Password Policy 1. Alphabetic characters2. Numeric characters3. Special characters
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKAGG-201614498_04_2008_c2
WLC Integration: Guest Server Configuration
Add the WLC as a NAS in the NGS
NGS uses standard RADIUS Attribute 27 (session-timeout)
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105BRKAGG-201614498_04_2008_c2
Informing Guest
Sponsor will have three ways to inform guest 1) Printing the details
2) Sending the details via e-mail
3) Sending the details via SMS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106BRKAGG-201614498_04_2008_c2
Sponsor Portal: Create and Print Guest A/C
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107BRKAGG-201614498_04_2008_c2
Sponsor Portal: Guest Report
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108BRKAGG-201614498_04_2008_c2
Agenda
Guest Access Drivers and Requirements
Guest Access in the Campus1. Access Control
2. Path Isolation
3. Services Edge
Unified Wired and Wireless Guest Access
Cisco NAC Guest Server
Guest Access Use Cases
Q&A
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109BRKAGG-201614498_04_2008_c2
Guest Access Use Case 1Wireless-Only Solution
Access controlWireless clients associating with “guest’ SSIDTraffic LWAPP encapsulated between APs and centralized controllers
Path isolationEoIP tunnels statically built between edge and anchor controllers
Services edgeNetwork and web-authentication services offered on the anchor WLAN controller
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110BRKAGG-201614498_04_2008_c2
Guest Access Use Case 2Integrated Wired + Wireless Solution
Access controlWired clients
Guest VLAN statically Dynamically (802.1x Guest VLAN or Auth-Failed VLAN)
Wireless clients Associating with “guest” SSIDTraffic bridged locally on a guest VLAN (standalone AP model) or tunneled via LWAPP to centralized controllers
Path isolationUse of distributed ACLsVRF-Lite and GRE tunnelsVRF-Lite End-to-End
Services edgeNetwork and web-authentication services provided by an in-band appliance
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKAGG-201614498_04_2008_c2
Guest Access Use Case 3“Hybrid” Solution
Access controlWired clients
Assigned to guest VLAN statically or dynamically (guest VLAN or auth-failed VLAN)
Wireless clients Associating with “guest” SSIDTraffic tunneled via LWAPP to centralized controllers
Path isolationWired clients
Distributed ACLS or VRF+GREWireless clients
Use of EoIP tunnels for wireless clients
Services edgeNetwork and web-authentication services provided by an in-band appliance
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112BRKAGG-201614498_04_2008_c2
Recommended Reading
802.11 Wireless Network Site Surveying and Installation
Wi-Fi Hotspots
Deploying Guest Access with WLAN Controllers
http://www.cisco.com/en/US/customer/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html
Network Virtualization—Guest and Partner Access Deployment Guide
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080849883.pdf
Available Onsite at the Cisco Company Store
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113BRKAGG-201614498_04_2008_c2
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114BRKAGG-201614498_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115BRKAGG-201614498_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116BRKAGG-201614498_04_2008_c2
Appendix
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117BRKAGG-201614498_04_2008_c2
4.1.185 4.2.112 5.0.148 5.1.78
4.1.185
4.2.112
5.0.148
5.1.78
Remote
Anchor
EoIP Tunnel Combination Between WLC Versions
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118BRKAGG-201614498_04_2008_c2
Path Isolation GRE Support on Cisco Catalyst Switches
GRE switched in HW only with Cisco Catalyst 6500 with PFC3-based supervisors
GRE supported in SW on Cisco Catalyst 6500 with Sup II and Cisco Catalyst 4500
GRE switching not supported on 3xxx switches
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119BRKAGG-201614498_04_2008_c2
Access Control802.1x and IP Phones (CDP-Based Approach)
set vlan 2 2/1 set port auxiliaryvlan 2/1 5set port dot1x 5/1 port-control auto
interface FastEthernet0/1switchport access vlan 2switchport mode accessswitchport voice vlan 5dot1x port-control auto
Cisco IOS CatOS
CDP—Cisco Discovery Protocol
Leverage capabilities of multi-VLAN ports Voice VLAN ID (VVID) for voicePort VLAN ID (PVID) for data
Feature available across all the Cisco Catalyst platforms 802.1x authentication enforced only on PVID VLANIP Phone bypasses 802.1x authentication via CDP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120BRKAGG-201614498_04_2008_c2
Access Control802.1x and IP Phones (Multi-Domain Auth)
Still leveraging the capabilities of multi-VLAN ports
Voice VLAN ID (VVID) for voicePort VLAN ID (PVID) for data
PC and the IP phone are authenticated separately on the same switch portAuthentication can be performed via 802.1x
On voice-VLAN as well as data-VLAN
Supports heterogeneous environments
On voice-VLAN as well as data-VLANIP phones without 802.1X capability require MAC Authentication
CDP not leveraged anymore as 802.1x exemption criteria
interface FastEthernet0/1switchport access vlan 2switchport mode accessswitchport voice vlan 5 dot1x port-control auto dot1x host-mode multi-domain
Cisco IOS
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121BRKAGG-201614498_04_2008_c2
Access ControlHow to Share the Port Behind the IP Phone
No Link Down Event Happening on the Switch Port when a Client Disconnects from the PC Port Behind a Phone
The Problem
Determine the Conditions for Successfully Sharing the PC Port Between Internal Employees and Guests
The Goal
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122BRKAGG-201614498_04_2008_c2
Access ControlIP Phone and 802.1x Guest VLAN
Multi-VLAN switch port configured for 802.1x guest VLAN and auth-fail VLAN
IP phone bypasses 802.1x authentication (via CDP) and is deployed into the voice VLAN (VVID)
After three unanswered EAP-Identity-Requests the 802.1x guest VLAN is deployed as data VLAN (PVID)
A guest not equipped with 802.1x supplicant can plug in and have immediate access to the guest VLAN
Port Deployed into the Guest VLAN
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 123BRKAGG-201614498_04_2008_c2
Access ControlRemoving the Switch Port from Guest VLAN
*Note: This Holds True if the 802.1x Supplicant Is Able to Send EAPOL-Start Frames; if Not, the Port Would Remain Configured in the Guest VLAN
Client equipped with 802.1x supplicant connects and restarts the 802.1x authentication*
Switch port is removed from the guest VLAN
An employee would succeed the auth process and get access to all the internal network resources
A 802.1x-enabled guest would fail the auth process and be deployed into the auth-failed VLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124BRKAGG-201614498_04_2008_c2
Access ControlClient Disconnecting from IP Phone
An Illegitimate User Can Now Gain Access to the Port by Spoofing the Authenticated MAC Address, and Bypass
802.1x Completely—Security Hole!!!
6
If a Legitimate User Tries to Gain Access, Assuming that the MAC Address Is Different, the Switch
May Treat the Event as a Security Violation and Disable the Port
Also the Phone May Get Disconnected!!!
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 125BRKAGG-201614498_04_2008_c2
Access ControlIP Phones Capable of Sending EAPOL-Logoff
*Note: This Holds True if the Switches Run Cisco IOS Code and the Global Command, “dot1x guest-vlan supplicant” Is Configured
Client disconnects from the port behind the IP phone
IP phone detects a link-down event on the PC port and sends an EAPOL-Logoff message on behalf of the client
Receipt of the EAPOL-Logoff message would restart the 802.1x authentication process on the switch port
After three unanswered EAP-Identity-Requests the port is again deployed into the guest VLAN (back to initial condition)*
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 126BRKAGG-201614498_04_2008_c2
Access ControlConditions to Share the Port Behind the IP Phone
1. 802.1x supplicant is able to send EAPOL-start frames (not default Microsoft-client behavior)
2. IP phones have proxy EAPOL-logoff capabilitiesFirmware release 7.2(2) for 7940-7960
Firmware release 7.0(1) for 7970
All firmware releases for 7911G
Switches are running Cisco IOS code and the “dot1x guest-vlan supplicant” global command is configured
Note: This is a hidden command in the latest Cisco IOS SW releases
© 2006, Cisco Systems, Inc. All rights reserved.14498_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 127BRKAGG-201614498_04_2008_c2
Acronyms
VPN—Virtual Private NetworkACL—Access Control ListACE—Access Control EntriesSSID—Service Set IdentifierMPLS—Multiprotocol Label SwitchingDHCP—Dynamic Host Configuration ProtocolDNS—Dynamic Name ServicesEAP—Extensible Authentication ProtocolEAPoL—EAP over LANAAA—Authentication, Authorization and AccountingRADIUS—Remote Authentication Dial-In User Service CDP—Cisco Discovery ProtocolMDA—Multi Domain AuthenticationIBNS—Identity-Based Networking Services
WLAN—Wireless LANAP—Access PointWLC—WLAN ControllerLWAPP—Lightweight Access Point ProtocolQoS—Quality of ServiceVRF—Virtual Routing/ ForwardingGRE—Generic Routing EncapsulationmGRE—Multipoint GREIGP—Interior Gateway ProtocolEIGRP—Enhanced Interior Gateway Routing Protocol OSPF—Open Shortest Path First WAN—Wide Area NetworkSVI—Switched Virtual Interface EoIP—Ethernet over IP