cisco nac guest server guest access - simplified
Post on 14-Feb-2016
87 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco NAC Guest Server
Guest Access - Simplified
Tim WellbornSE
Sangeeta KodukulaSE
DFW Cisco Users Group, April 6, 2011
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 2
1 The “Business Case” For Secure Guest Access
2 Cisco NAC Guest Server Overview
3 Deployment Options
4 Summary & Additional Resources
5 Demo
Agenda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 3
The Enterprise Hotspot
Provide network access to visitors Presents a professional and secure
access to visitors Enable improved productivity from
vendors and contractors Strengthen collaboration between
employees and partners
Enterprises are the most important hotspot destination for business partners in a connected world.
Provide Guest Access in a seamless, secure manner
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 4
Guest Access Considerations
Ease of use
Integration withnetwork infrastructure
Audit andaccountability
Cost
Provisioning of user accountsReceptionist, help desk, any user
Reduce infrastructure upgradesAvoid parallel network infrastructure
Know who is doing whatKnow who created which account
Cost of implementationCost of ongoing management
Security Meet security policy requirementsProvide secure guest access
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 5
ROI - Cisco Internal Real World Example
400,000 Guests per year (and increasing) $X per call to setup a guest (cost avoided) Cost savings of $M/year by self provisioning
January 05 April 08
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 6
NAC Guest ServerOverview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 7
Four Key Components of Guest Access
GUESTThe visitor who needs network access
SPONSORThe internal user who wants to be able to provide internet access to their guest
NETWORK ENFORCEMENT DEVICEWeb re-direction, authentication and provides access.Wireless LAN Controller or NAC Appliance
NAC GUEST SERVEREnables sponsor to create guest account; audits; provisions account on network enforcement device
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 8
Managing the Guest User Lifecycle
PROVISIONING
MANAGEMENT
NOTIFICATION
REPORTING
Create Guest Accounts
Manage Guest Accounts
Give Accounts to Guests
Report on Guests
Create a single Guest Account
Create multiple Guest Accountsby Importing a CSV file
Print Account and Access DetailsSend Account Details via EmailSend Account Details via SMS
View, edit or suspend yourGuest Accounts
Manage batches of accountsyou have created
View audit reports on individualGuest accounts
Display Management reports onGuest Access
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 9
Provisioning Who should create user accounts?
Receptionist/Lobby AmbassadorIT SecurityManagersHelp DeskAny Employee
NAC Guest Server lets you choosebased upon your security policy
Allowing any employee to create accounts provides increased usage and will be just as secure
Reduced Cost Full Audit Trail
Speed of access Ease of use
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 10
Sponsor Portal
Customizable Web Portal for internal sponsors
Authenticate with corporate credentials
Local DatabaseActive DirectoryLDAPRADIUSKerberos
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 11
Sponsor Single Sign On
Integrates with Active Directory Supports all windows authentication mechanisms including:
username/password Smart Card Biometrics etc.
Log in to Windows Automatic Authenticationto NAC Guest Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 12
Creating Guest Accounts
3. Add user
2. Specify start and end times
1. Enter user details
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 13
Username Policy
Email Address
First/Last Name
Random
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 14
Guest Password PolicyAlphabetic
Numeric
Special
Choice of characters and length
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 15
Flexible Time Policies Create accounts by:
- Start/End Time- Usage from first login
- For example account valid for 1 hour from first login
- Usage within a certain period- For example account valid for 2
hours within 24 hours from first login
Account Restrictions- Set times when guest cannot login,
such as outside office hours
Provides complete flexibility for when you want to allow guest access
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 16
Notification: Guest User Account Delivery
Send account information via print-out, email,
or SMS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 17
Audit and Reports
SponsorInformation
AccountManagement
GuestInformation
Visibility and Management of Guest Users
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 18
Guest Activity Reporting
Internet
Username: guestnameIP Address: 10.1.1.1
Login Time: 15:05Logout Time: 14:30
15:07 10.1.1.1 accessed http://www.cisco.com15:08 10.1.1.1 usedthe bittorrent protocol15:09 10.1.1.1 connected to vpn.mycompany.com
Consolidated Audit Report of Guest Activity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 19
Detailed guest audit information
When they logged in Where they logged in The guests address
What they did What was allowed What was disallowed
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 20
NAC Guest ServerDeployment Options
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 21
Network Enforcement Devices
Network Enforcement Devices control the guest userDeliver the automatic redirect to a captive portalAuthenticate the user against the Guest ServerEnforce the Users Access PrivilegesRecords Network Access Information
Cisco NAC Appliance for Secure Guest Access
Cisco Wireless LAN Controllers
Cisco Catalyst Switch
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 22
Customizable Portals
Welcome to ourguest hotspot!
Fully customize this page and add the widgets you want!
Login
Credit Card
Guest Self Registration
Password Change
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 23
1. Sponsor creates account on the NAC Guest ServerNAC Guest Server
2. Sponsor gives the credentials to the guest via print-out, email or sms
NAC Guest Server Walkthrough
3. Guest authenticates with the web portal from NGS which authenticates the guest by RADIUS to the NGS
Wireless LAN Controller
RADIUS
NAC Guest Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 24
4. If auth is successful the guest is given Internet access
Wireless LAN Controller
5. Wireless LAN Controller and Firewalls provide audit information to the NAC Guest Server
6. When the account expires the Wireless LAN Controller logs off the guest
NAC Guest Server Walkthrough
Internet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 25
Wireless Only Deployment
Sponsored
Guest
Cisco NGSGuest Server
Wireless LANController
InternetLA
N\W
an
Active Directory
* Employee Wireless uses separate SSID providing higher security and full network access
Optional
Easiest to deploy; least design impactBroad use-case
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 26
Add Secure Wired Access in Public Spaces
Sponsored
Guest
Cisco NGSGuest Server
Wireless LANController
Employee
Internet
Parity forWired / WLAN
Conference RoomPorts
LAN
\Wan
Enabling this feature may have impact to network design and configuration changes. Employee wired access on these ports becomes limited to internet in this scenario
Active Directory
* Employee Wireless uses separate SSID providing higher security and full network access
Optional
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 27
Complete Guest and Employee Secure Network Access
Sponsored
Guest
Wireless LANController
Internet
Parity forWired / WLAN
Switch
Enabling this feature on switch ports leverages similar 802.1X PEAP solution typical of Enterprise Wireless authentication.
Active DirectoryEmploye
e802.1X/MAB
Compatibility
* Employee Wireless uses separate SSID providing higher security and full network access
LAN
\Wan
SSC
Employee
802.1X
MABCisco NGS
Guest Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 28
Application Programming Interface
Open Web API for use by custom applications Example applications:
Visitor Management Systems (Automatically create guest accounts)
Hotel Property Management Systems (Provision at guest check-in)Identity Management System (Single portal for all accounts)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 29
29
Costing Summary
Product Hardware Software HW/SW Maintenance
NAC3315-GUEST-K9 $24,995 (list) Included $3,989 (sntp)
• Above does not include Implementation planning and deployment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 30
MANY Variations
Different Designs Different Network Enforcement Devices Different Authentication Methods Different Auditing/Tracking Requirements
NAC Guest Server with Wireless Guest AccessProvides easy yet secure solution
NAC Guest Server is the primary tool to meet requirements of most guest access solutions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 31
DEMO
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 32
top related