cisco nac guest server guest access - simplified

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cisco NAC Guest Server

Guest Access - Simplified

Tim WellbornSE

Sangeeta KodukulaSE

DFW Cisco Users Group, April 6, 2011

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 2

1 The “Business Case” For Secure Guest Access

2 Cisco NAC Guest Server Overview

3 Deployment Options

4 Summary & Additional Resources

5 Demo

Agenda


The Enterprise Hotspot

Provide network access to visitors Presents a professional and secure

access to visitors Enable improved productivity from

vendors and contractors Strengthen collaboration between

employees and partners

Enterprises are the most important hotspot destination for business partners in a connected world.

Provide Guest Access in a seamless, secure manner


Guest Access Considerations

Ease of use

Integration withnetwork infrastructure

Audit andaccountability

Cost

Provisioning of user accountsReceptionist, help desk, any user

Reduce infrastructure upgradesAvoid parallel network infrastructure

Know who is doing whatKnow who created which account

Cost of implementationCost of ongoing management

Security Meet security policy requirementsProvide secure guest access


ROI - Cisco Internal Real World Example

400,000 Guests per year (and increasing) $X per call to setup a guest (cost avoided) Cost savings of $M/year by self provisioning

January 05 April 08


NAC Guest ServerOverview


Four Key Components of Guest Access

GUESTThe visitor who needs network access

SPONSORThe internal user who wants to be able to provide internet access to their guest

NETWORK ENFORCEMENT DEVICEWeb re-direction, authentication and provides access.Wireless LAN Controller or NAC Appliance

NAC GUEST SERVEREnables sponsor to create guest account; audits; provisions account on network enforcement device


Managing the Guest User Lifecycle

PROVISIONING

MANAGEMENT

NOTIFICATION

REPORTING

Create Guest Accounts

Manage Guest Accounts

Give Accounts to Guests

Report on Guests

Create a single Guest Account

Create multiple Guest Accountsby Importing a CSV file

Print Account and Access DetailsSend Account Details via EmailSend Account Details via SMS

View, edit or suspend yourGuest Accounts

Manage batches of accountsyou have created

View audit reports on individualGuest accounts

Display Management reports onGuest Access


Provisioning Who should create user accounts?

Receptionist/Lobby AmbassadorIT SecurityManagersHelp DeskAny Employee

NAC Guest Server lets you choosebased upon your security policy

Allowing any employee to create accounts provides increased usage and will be just as secure

Reduced Cost Full Audit Trail

Speed of access Ease of use


Sponsor Portal

Customizable Web Portal for internal sponsors

Authenticate with corporate credentials

Local DatabaseActive DirectoryLDAPRADIUSKerberos


Sponsor Single Sign On

Integrates with Active Directory Supports all windows authentication mechanisms including:

username/password Smart Card Biometrics etc.

Log in to Windows Automatic Authenticationto NAC Guest Server


Creating Guest Accounts

3. Add user

2. Specify start and end times

1. Enter user details


Username Policy

Email Address

First/Last Name

Random


Guest Password PolicyAlphabetic

Numeric

Special

Choice of characters and length


Flexible Time Policies Create accounts by:

- Start/End Time- Usage from first login

- For example account valid for 1 hour from first login

- Usage within a certain period- For example account valid for 2

hours within 24 hours from first login

Account Restrictions- Set times when guest cannot login,

such as outside office hours

Provides complete flexibility for when you want to allow guest access


Notification: Guest User Account Delivery

Send account information via print-out, email,

or SMS


Audit and Reports

SponsorInformation

AccountManagement

GuestInformation

Visibility and Management of Guest Users


Guest Activity Reporting

Internet

Username: guestnameIP Address: 10.1.1.1

Login Time: 15:05Logout Time: 14:30

15:07 10.1.1.1 accessed http://www.cisco.com15:08 10.1.1.1 usedthe bittorrent protocol15:09 10.1.1.1 connected to vpn.mycompany.com

Consolidated Audit Report of Guest Activity


Detailed guest audit information

When they logged in Where they logged in The guests address

What they did What was allowed What was disallowed


NAC Guest ServerDeployment Options


Network Enforcement Devices

Network Enforcement Devices control the guest userDeliver the automatic redirect to a captive portalAuthenticate the user against the Guest ServerEnforce the Users Access PrivilegesRecords Network Access Information

Cisco NAC Appliance for Secure Guest Access

Cisco Wireless LAN Controllers

Cisco Catalyst Switch


Customizable Portals

Welcome to ourguest hotspot!

Fully customize this page and add the widgets you want!

Login

Credit Card

Guest Self Registration

Password Change


1. Sponsor creates account on the NAC Guest ServerNAC Guest Server

2. Sponsor gives the credentials to the guest via print-out, email or sms

NAC Guest Server Walkthrough

3. Guest authenticates with the web portal from NGS which authenticates the guest by RADIUS to the NGS

Wireless LAN Controller

RADIUS

NAC Guest Server


4. If auth is successful the guest is given Internet access

Wireless LAN Controller

5. Wireless LAN Controller and Firewalls provide audit information to the NAC Guest Server

6. When the account expires the Wireless LAN Controller logs off the guest

NAC Guest Server Walkthrough

Internet


Wireless Only Deployment

Sponsored

Guest

Cisco NGSGuest Server

Wireless LANController

InternetLA

N\W

an

Active Directory

* Employee Wireless uses separate SSID providing higher security and full network access

Optional

Easiest to deploy; least design impactBroad use-case


Add Secure Wired Access in Public Spaces

Sponsored

Guest

Cisco NGSGuest Server


Employee

Internet

Parity forWired / WLAN

Conference RoomPorts

LAN

\Wan

Enabling this feature may have impact to network design and configuration changes. Employee wired access on these ports becomes limited to internet in this scenario

Active Directory


Optional


Complete Guest and Employee Secure Network Access

Sponsored

Guest


Internet

Parity forWired / WLAN

Switch

Enabling this feature on switch ports leverages similar 802.1X PEAP solution typical of Enterprise Wireless authentication.

Active DirectoryEmploye

e802.1X/MAB

Compatibility


LAN

\Wan

SSC

Employee

802.1X

MABCisco NGS

Guest Server


Application Programming Interface

Open Web API for use by custom applications Example applications:

Visitor Management Systems (Automatically create guest accounts)

Hotel Property Management Systems (Provision at guest check-in)Identity Management System (Single portal for all accounts)


29

Costing Summary

Product Hardware Software HW/SW Maintenance

NAC3315-GUEST-K9 $24,995 (list) Included $3,989 (sntp)

• Above does not include Implementation planning and deployment


MANY Variations

Different Designs Different Network Enforcement Devices Different Authentication Methods Different Auditing/Tracking Requirements

NAC Guest Server with Wireless Guest AccessProvides easy yet secure solution

NAC Guest Server is the primary tool to meet requirements of most guest access solutions


DEMO

cisco nac guest server guest access - simplified

Documents