deploying wireless guest access - alcatron.net live 2015 melbourne/cisco live... · deploying...

#clmel

Deploying Wireless Guest Access

BRKEWN-2014

Gareth Taylor, CCIE# 4243Systems EngineerCisco

© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public

Agenda

• Overview

• Wireless Guest Access Control & Path Isolation

• Wired Guest Access Control & Path Isolation

• Guest Services Portal

• Guest Services Provisioning

• Guest Monitoring & Reporting

Overview: Guest Access as a Supplementary User Authentication


Evolution of Network AccessAge of the Unified Access Network

Campus

Network

Internal

Resources

Branch

Network

Internet

LocationHealth Time

. . .

Employee

(Sales)Managed

Desktop?

Employee

(Sales) Managed

Desktop?

VPNEmployee

(Finance)Managed

Desktop?

Guest

ContractorGuest Game

ConsoleIP Camera

Mobile

WorkersPersonal

Devices

VPN

VPN

Hotspot

Wireless

EmployeeWireless

Employee

Security

Systems

Printer

(Payroll)

Printer

(Sales)

Access Method


SSC

Employee(bad credential)

When to Use Web-Authentication?

Web Auth is a supplementary authentication method

It is Most useful when users can’t perform or pass 802.1X

Primary Use Case: Guest Access

Secondary Use Case: Employee who fails 802.1X

802.1X

SSC

Employee

802.1XManaged 802.1X-devices

Known users

MAB(mac-address bypass)

Managed devices

Web AuthUsers without 802.1X devices

Users with Bad credentials

Guest


Corporate vs GuestsWho = User Identity

802.1Q Trunk

VLAN 30

VLAN 50

EAP Authentication1

Accept with VLAN 302

Web Auth3

Accept with GUEST ACL4

ISE

Corporate

Resources

Internet

Users with Corporate Devices with their AD user id can be assigned to Employee VLAN

Guests authenticate via Web Auth and are assigned to a GUEST-ACL on the Guest VLAN

Employee

GuestDevice

CAPWAP


Requirements for Secure Guest Access

Technical

Usability

Monitoring

No access until authorised Guest traffic should be segregated from the internal network Web-based authentication Bandwidth and QoS management Overlay onto existing enterprise network

No device reconfiguration, no client software required “Plug & Play” Easy administration by non-IT staff Splash screens and web content can differ by location “Guest network” must be free or cost-effective and non-disruptive

Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted

Logging & Monitoring: Auditing of location, MAC, IP address, username

Wireless Guest Access Control & PathIsolation


CAPWAP

Tunnel

CAPWAP

AP

CAPWAP AP

Access Control End-to-End Wireless Traffic Isolation

CAPWAP

Tunnels

The fact:

Traffic isolation achieved via CAPWAP valid from the AP to the WLAN Controller

The challenge:

How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?

Why do we need it for Guest Access:

Extend traffic logical isolation end-to-end over L3 network domain

Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, bandwidth, etc.)

Securely transport the guest traffic across the internal network infrastructure to DMZ

CAPWAP

AP

CAPWAP

AP


Intranet

SPG

AP AP

GuestGuestGuestEmployeeEmployeeEmployee

WebAuth Portal Characteristics

Small ~ Mid-Size Independent or Remote Branch

Distributed Guest WebAuth Portal in each Mobility Agent “MA”

Wireless Guest Traffic get’s it’s IP Address at Point of Presence “POP” at MA

WebAuth Portal on-box, Customisable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Pass thru/Consent, Logout Page

HTTPS and HTTP redirect for Wired and Wireless

Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador

Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing

Visibility: Flexible Netflow

Seamless Mobility L2 / L3 Roaming

MAMC/MA Cat3850

WebAuth

MA

WebAuth

AP

AP CAPWAPTunnels

FW

WebAuth

CPIISE

Converged Access Guest – Mid-Sized and Small Branch

WebAuth With Catalyst 3850 / 3650 / Sup8E Only (<250 APs, and no Guest Anchor)

Cisco Converged Access Deployment


Data Center

CAPWAP Mobility

Tunnel

AP AP APAP

CAPWAPTunnels

GuestGuestGuest

EmployeeEmployeeEmployeeGuestEmployee

SPG

WebAuth Portal & GA Characteristics

Small ~ Mid-Size Independent Branch With Cat3650/3850

Central Guest WebAuth Portal in GA CT5760/CT5508/WiSM-2/CT2504 Centralised Wired & Wireless Guest Starting with 3.3.0SE Cat3650/3850 only acts as Foreign.

Wireless & Wired Guest Traffic get’s POP at GA

Provides granular centralised profiling ISE Policy Decision Point (PDP) of Guest devices

Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest.

– WebAuth Portal on-box, Customisable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Pass thru/Consent, Logout Page

– HTTPS and HTTP redirect for Wired and Wireless

– Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador

– Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing

– Visibility: Flexible Netflow

– Seamless Mobility L2/L3 Roaming

WebAuth

Intranet WLCGuest Anchor

MA MAMACA SwitchForeign

MC/MA


CPIISE

FW

Converged Access Guest – Mid-Sized and Small Branch

WebAuth Central Guest Anchor and “Converged Access” 3850 / 3650 / Sup8E (<250 APs per Branch)


AP AP AP AP

WLC

WLCIntranet

Data Centre

CAPWAP MobilityTunnel

EoIP or CAPWAPTunnels

CentrialisedService block

Cat3750

WebAuth

WebAuth Portal & GA Characteristics

Large Independent Campus or Branch (No Converged Access) – “Classic Centralised CUWN”

Central Guest WebAuth Portal in GA CT5760/CT5508/WiSM-2/CT8510/CT2504

– Wireless Guest Traffic get’s its IP Address at GA – Point of Presence “POP”

– Provides granular centralised profiling (PDP) of Guest devices

– Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest– Use of up to 71 EoIP/CAPWAP Anchor tunnels with redundant Anchor WLC

– WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Pass thru/Consent, Logout Page

– HTTPS and HTTP redirect for Wired and Wireless

– Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador– Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class

assignment, Session-Timeout, Black Listing

– Seamless Mobility L2/L3 Roaming

Guest Anchor

Guest GuestGuestGuestEmploye

eEmploye

eEmploye

e

Employe

e

FW

CPIISE

Centralised WLC Guest Anchor “GA”Campus WebAuth


Implementing Guest Path Isolation Using WLC

1. Specify a mobility group for each WLC

2. Open ports for:a) Inter-Controller Tunneled Client Data

b) Inter-Controller Control Traffic

c) EoIP/CAPWAP tunnel protocol

d) Other ports as required

3. Configure the mobility groups and add the MAC-address and IP address of the foreign WLC

4. Check the status of the Mobility Anchors for the WLAN

5. Create Guest VLAN on Anchor controller(s)

6. Configure identical WLANs on the Foreign and Anchor controllers

7. Configure the Mobility Anchor for the Guest WLAN

Building the EoIP/CAPWAP Tunnel


Guest Path Isolation

Open ports in both directions for:

EoIP packets (Classic Mobility Anchor) IP protocol 97

Mobility Control & New Mobility Data UDP Port 16666

Inter-Controller CAPWAP (rel 5.0+) Data/Control Traffic UDP 5247/5246

Optional management/operational protocols: SSH/Telnet TCP Port 22/23

TFTP UDP Port 69

NTP UDP Port 123

SNMP UDP Ports 161 (gets and sets) and 162 (traps)

HTTPS/HTTP TCP Port 443/80

Syslog TCP Port 514

RADIUS Auth/Account UDP Port 1812 and 1813

Firewall Ports and Protocols

Must

be Open!

Do NOT

Open!

For YourReference


Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Foreign Configuration

Anchor and Foreign WLCs are configured in different Mobility Groups


Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel - Anchor & Foreign Configuration

Configure the mobility groups and add the MAC-address and IP address of the foreign WLCs

Anchor

Foreign


Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Anchor Configuration

Check the status of the mobility anchors for the WLAN


Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel - Anchor & Foreign Configuration

Configure Guest VLAN on the Anchor WLC


Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Anchor Configuration

Configure the mobility anchor for the guest WLAN on Anchor WLCs


Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Foreign Configuration

Configure the mobility anchor for the guest WLAN on Foreign WLCs

Wired Guest Access Control and PathIsolation


Unified Wired and Wireless Deployment

AireOS WLC and IOS-XE WLC provide 2 approaches to solving this!

Allows organisations to leverage existing wireless infrastructure to provide guest access on the LAN

Lobby Administrator interface and captive portal provides ease of guest user provisioning and consistent network access

Enables the ability to leverage common guest user policies for both wired and wireless network access

WLC Wired Guest Access


WLC Guest Access for Wired LANAireOS WLC Overview

WirelessVLANs

Campus Core

EtherIP

“Guest

Tunnel”

EoIP/CAPW

AP

“Guest

Tunnel”

CAPWAP CAPWAP

Internet

SiSi

SiSi SiSiSecure Secure

Guest Secure Guest Secure

Wired Client

Layer-2 Switch

Wired Guest VLAN must be L2adjacent with WLC

Wired Guest VLAN can be fallback VLAN in 802.1x/EAP authentication on switch

Supported on CT2504, CT5508, CT8510, WiSM-2 series


1. Wired Guest ports provided in designated location at the Access Switch

2. The configuration on the Access switch puts these ports into wired guest layer-2 VLAN

3. On a single WLAN Controller the Guest VLAN will be trunked into WLC

4. On a multi controller deploymentwith Auto Anchor mode the guestVLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller

Wireless LAN

Controller

DMZ or Anchor

Wireless LANController

Cisco ASA Firewall

Wired Guests

Isolated L2 VLAN

EoIP Tunnel

Internet

Corporate

Intranet

Wireless Guests

WLC Wired Guest Access with EoIP/CAPWAPAireOS WLC - Wired Guest Access


WLC Wired Guest Access ConfigurationAireOS WLC - Wired Guest Access Deployment Steps

Create a dynamic interface as “Guest LAN” which will be the ingress “Foreign” interface

DHCP server information is not required on the ingress “Foreign” interface

DHCP server information is required on the egress “Anchor” dynamic interface


WLC Wired Guest Access Configuration

Create wired WLAN as “Guest LAN” type

AireOS WLC - Wired Guest Access Deployment Steps


WLC Wired Guest Access ConfigurationAireOS WLC - Wired Guest Access Deployment Steps – Foreign WLC

Assign the Ingress and Egress Interfaces

Ingress interface is the wired guest LAN

Egress interface could be the management or any dynamic interface


WLC Wired Guest Access ConfigurationAireOS WLC - Wired Guest Access Deployment Steps – Anchor WLC

Wireless and wired guest WLAN

Egress interface will be the wired guest desired dynamic interface


Failed Dot1X/MAB at switch

CAPWAP Session to Guest Anchor Controller

IP Address Assignment

Guest Access at Guest Anchor Controller

Local WebAuth at Guest Anchor Controller

Guest Access at Guest Anchor Controller

Client Authorisation

IP Address Assignment

Client Authorisation

Open Guest Access

Web Authenticated Guest Access


Wireless Guest Access supported from FCS (3.2.0SE)

With IOS-XE 3.3.0SE ‘Wired’ Guest Anchor Access is introduced

‘tunnel-mode’ as the fallback method to Enterprise Level Security

Tunnels Wired Guest traffic to the Guest Anchor Controller

Works with SaNET based policies only

Can support up to 2000 Wired Clients

Up to 5 Wired Guest LANs can be configured

Each Wired Guest LAN can have multiple Guest Controllers for redundancy

Unified Wired and Wireless DeploymentIOS-XE WLC “CA” & Wired Guest Access


Wired Guest Anchor Access With CAPWAPIOS-XE WLC “CA” Co-Located MC and MA Deployment Steps

Central Location / Data Centre-DMZ

Guest Anchor

DMZ

WAN

“CA”SwitchMC MA

Wired Guest User

wireless mobility group member ip

11.1.1.1 public-ip 11.1.1.1

guest-lan wga_lan 1

client vlan VLAN0042

security web-auth

mobility anchor

GA


10.1.1.105 public-ip 10.1.1.105

policy-map type control subscriber

wga_policy

event session-started match-all

1 class always do-until-failure

1 activate service-template wga_temp

2 authorize

event authentication-failure match-all


1 deactivate service-template wga_temp

service-template wga_temp

tunnel type capwap name wga_lan

guest-lan wga_lan 1


security web-auth

mobility anchor 10.1.1.105

interface GigabitEthernet1/0/2

access-session port-control auto

service-policy type control subscriber

wga_policy

MA

MC

GA

ISE

CPI



Wired Guest Anchor Access with CAPWAPIOS-XE WLC “CA” & Centralised MC, Distributed MAs

5508/5760

Data Centre-

DMZ

SiSi SiSi

SiSi

SiSi

Data CentreCampus Services

CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

MC

GA

SiSi

CPI

ISE

MAMA MA MA

Wired Guest User




5508/5760

Data Centre-

DMZ

SiSi SiSi

SiSi

SiSi


CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

MC

GA

SiSi

CPI

ISE

MAMA MA MA

Wired Guest User


wireless mobility group

member ip 10.1.1.105 public-

ip 10.1.1.105MC


11.1.1.1 public-ip 11.1.1.1

guest-lan wga_lan 1


security web-auth

mobility anchor GA



5508/5760

Data Centre -

DMZ

SiSi SiSi

SiSi

SiSi


CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

MC

GA

SiSi

CPI

ISE

MAMA MA MA

Wired Guest User


wireless mobility group

member ip 10.1.1.105 public-

ip 10.1.1.105MC

policy-map type control subscriber

wga_policy

event session-started match-all


1 activate service-template wga_temp

2 authorize

event authentication-failure match-all


1 deactivate service-template wga_temp

service-template wga_temp

tunnel type capwap name wga_lan

guest-lan wga_lan 1


security web-auth

mobility anchor 10.1.1.105

MA


11.1.1.1 public-ip 11.1.1.1

guest-lan wga_lan 1


security web-auth

mobility anchor GA

interface GigabitEthernet1/0/2

access-session port-control

auto

service-policy type control

subscriber wga_policy

MA


Mobility Group

5508/5760

Data Centre-DMZ

SiSi SiSi

SiSi

SiSi


SiSi

CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

MC

ISE

Wired Guest User

MA

In this deployment

Wired Guest

Anchor

Access is NOT

supported

3850 / 3650 / Sup8E acting

as pure switch

with no

wireless

enabled

(no MA or MC

capability)


GA

CPI

Wired Guest Anchor AccessIOS-XE WLC - No Wired Guest Anchor without Wireless Enabled on 3850 / 3650 / Sup8E

© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Publichttp://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

CUWN Service 4.2.x.x 5.0.x.x5.1.x.

x6.0.x.x 7.0.x.x 7.2.x.x 7.3.x.x 7.4.X.X 7.5.x.x 7.6.X.X

7.3.112 &

≥ 7.5 1IOS-XE

≥ 3.2.0SE1

Layer 2 and Layer 3 Roaming Y – – Y Y Y Y Y Y Y OK OK

Wireless Guest Anchor/Termination Y Y Y Y Y Y Y Y Y Y OK OK2

wIPS & AwIPS Rogue Detection Y – – Y Y Y Y Y Y Y OK OK3

Fast Roaming (CCKM) in a mobility group Y – – Y Y Y Y Y Y Y OK OK

Location Services Y – – Y Y Y Y Y Y Y OK OK

Radio Resource Management

(RRM)Y – – Y Y Y4 Y4 Y Y Y

OK5 OK5

Management Frame Protection

(MFP)Y – – Y Y Y Y Y Y Y

OK OK

AP FailoverY – – Y Y Y Y Y Y Y

OK6 OK6

Y = Compatibility in Classic Flat Mobility OK = Compatibility in New Mobility

NOTES:

1. New Mobility is only supported on AireOS CT2504/CT5508 & WiSM-2 platforms butdoes not form any IRCM or GA with CT7500/CT8500/v-WLC

2. Guest Anchor Termination is only supported on CT2504/CT5760/CT5508/WiSM-2. CT2504/CT5760/CT5508/WiSM-2/Cat3650&3850 all supported as a Foreign

3. Rogue Detector Mode not supported on CA mode with Cat3650/3850

4. In Release 7.2 RF Profiles and groups was introduced. RRM for release 7.2 and later is not backwardly compatible with previous releases.

5. RRM Converged Access is compatible with CUWN release 7.6+ but does not support RF Profiles and Groups introduced in 7.2

6. AP SSO in IOS 3.3.0SE for CT5760. AP Intra-OS Platform Fast Failover Supported. AP Inter-OS Platform Image Download & Reboot performed.

For YourReference

IRCM Compatibility Matrix

http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

Guest Services Portal


Wireless guest user associates to the guest SSID

Initiates a browser connection to any website

Web login page will displayed

Local WLC WebAuth “LWA” Guest Services PortalInternal Web Portal “LWA”

Fixed Welcome Text

Login Credentials

Wireless & Wired Guest Authentication Portal is available in 4 modes:

1. Internal (Default Web Authentication Pages) – aka: Local WebAuth “LWA”

2. Customised (Downloaded Customised Web Pages – Still “LWA”

3. External Using ISE for Radius Authentication – Still “LWA”

4. External (Re-directed to external server) – aka: External WebAuth “EWA” ISE Central WebAuth “CWA” is another version of this not covered today


“LWA” Guest Services Portal

Create your own Guest Access Portal web pages

Upload the customised web page to the WLC

Configure the WLC to use “customisable web portal”

Customised WebAuth bundle up to 5 Mb in size can contain

22 login pages (16 WLANs , 5 Wired LANs and 1 Global)

22 login failure pages

22 login successful pages

CustomisableWeb Portal “LWA”


“LWA” Guest Services Portal

Refer to CCO release notes IOS-XE 3.6.0SE or above

“After you upgrade to Cisco IOS XE Release 3.6.0 SE or above, the WebAuth success page behaviour is different from the behaviour seen in Cisco IOS XE Release 3.3.X SE. After a successful authentication on the WebAuth login page, the original requested URL opens in a pop-up window and not on the parent page. Therefore, we recommend that you upgrade the Web Authentication bundle so that the bundle is in the format that is used by the AireOS Wireless LAN Controllers.”

IOS-XE WLC Important Upgrade Note For YourReference


Set in WLC > Security > WebAuth > Login

Or override at Guest WLAN

Option to use Pre-Auth ACL

External WebAuth “EWA” Guest Services PortalExternal Web Portal “EWA”


ISE “EWA” Guest Services PortalISE Web Portal “EWA”

Multi-Function Standalone/Distributed Appliance

CustomisableMulti-Portal Hosting

Sponsored Guest Access Provisioning, Verification, Management

ISE Guest Server


ISE “EWA” Wireless GuestISE “EWA” Centralised Login Page

1. Administrator Creates WLAN Login Page on ISE

2. Wireless Guest Opens Web browser

3. Web traffic is intercepted by Wireless LAN Controller and redirected to Guest Server.

4. Guest Server returns centralised login page

(1)(2)

(4)AP WLC ISE

(3)

Redirect


ISE “EWA” Wired GuestLooks Exactly the Same as Wireless

1. Administrator Creates Wired Login Page on ISE

2. Wired guest opens Web browser

3. Web traffic is intercepted by switch and redirected to Guest Server.


(1)(2)

(4)Switch

(3)

Redirect

ISE


“EWA” Authentication and AuthorisationStill Local

1. Administrator Creates Wired Login Page on ISE

2. Wired guest opens Web browser

3. Web traffic is intercepted by switch and redirected to Guest Server.


5. Guest submits credentials to switch

6. Switch authenticates credentials & controls access(1)

(2)

(4)Switch

(3)

(5)POST to switch:username, pwd

AuthenticationAccess Control

(6)ISE


CMX Visitor Connect 8.0Another type of “EWA” CPI

Device Specific / Location Specific

Login Screen

Wireless Clients

SOAP/XML

Rest APICAS Service (Location)

MSEConnect & Engage

Service MSE

HTTP 8083 redirect

at login1


CMX Analytics TopologyCMX for Facebook Wifi

Device Specific / Location Specific

Login Screen

Wireless Clients

SOAP/XML

Rest APICAS Service (Location)

MSEConnect & Engage

Service MSE

HTTPS redirect

at login

Facebook

First redirect, on

port 8084 then moved to

Facebook

1

2

47

CPI


Configuring CMX Visitor Connect VISITOR CONNECT

In MSE 8.0 we have

dramatically

simplified how Visitor

Connect is

configured, user only

needs to configure items to be collected

(i.e. email and name)

and zones that this

template will be used

at. First template will

be default for all

locations.

You can configure Social Authusers to have higher quota than non Social Auth users.

48


TERMS AND CONDITIONS;

REGISTRATION

CONNECTCMX Visitor ConnectLocation-Specific Guest Access

SIMPLIFIED SOCIAL

LOGIN

CUSTOM LANDING

PAGE/VIDEO

49


Guest Onboarding Methods Compared

Guest Method CMX Visitor Connect /

Facebook WifiCMX VisitorConnect (old)

CMX for Facebook Wifi (old)

WLC Based with and without ISE

MSE Image 8.0 7.6 Separate OVA N/A - Uses WLC image only

Authentication Oauth with Social

Credentialsi.e. FB, G+, Linkedin

Or Native FB

Oauth with Social

Credentialsi.e. FB, G+, Linkedin

Facebook only Guest Users in ISE or via PI / Cisco

Lobby Ambassador or AAA

Info to authenticator Credentials only (0Auth)

or Credentials and Packet Counts

Credentials only Credentials and packet counts Credentials

Disconnect New NSMP message for

force deauthenticationcontrolled by FB policy or

config (on WLC 8.0)

Session timeout on WLC Based on FB policy, after 2 hours

reconnect required

Configurable in PI or ISE

Requirements Standard MSE Standard MSE Special purpose VM plus PBR Standard WLC + ISE

50

For YourReference

Guest Services Provisioning


Requirements for Guest Provisioning

Might be performed by non-IT user “Lobby Ambassador”

Must deliver basic features, but might also require advanced features: Duration,

Start/End Time,

Bulk provisioning

Reporting

Provisioning Strategies :

Lobby Ambassador

Employees


Multiple Guest Provisioning Services

Cisco Guest Access Solution support several provisioning tools, with different feature richness.

CiscoWLC

Basic Provisioning

CPI Lobby Ambassador

Advanced Provisioning

CiscoIdentity Services Engine

Dedicated Provisioning

Custom Server

Customised ProvisioningIncluded in Cisco Wireless LAN Solution

Additional Cisco Product and Services

Highly Custom Development

CMXVisitor Connect

“B2V” Provisioning


Guest Provisioning Service

Lobby Ambassador accounts can be created directly on Wireless LAN Controllers

Lobby Ambassadors have limited guest feature and must create the user directly on WLC: Create Guest User – up to 2048 entries

Set time limitation – up to 35 weeks

Set Guest SSID

Set QoS Profile

Cisco Wireless LAN Controller (AireOS)


Guest Provisioning ServiceCreate the Lobby Admin in WLC (AireOS)

Lobby administrator can be created in WLC directly


Local WLC Guest ManagementPassword is Created

Quickly Create Guest with Time

and WLAN Profile

Guest Web Login


Guest Provisioning Service

CPI offer specific Lobby Ambassador access for Guest management only

Lobby Ambassador accounts can be created directly on CPI, or be defined on external RADIUS/TACACS+ servers

Lobby Ambassadors on CPI are able to create guest accounts with advanced features like:

Start/End time and date, duration,

Bulk provisioning,

Set QoS Profiles,

Set access based on WLC, Access Points or Location

Cisco Prime Infrastructure


Guest Provisioning ServiceLobby Ambassador Feature in CPI

Associate the lobby admin with Profile and Location specific information


Guest Provisioning ServiceAdd a Guest User with CPI


Guest Provisioning ServicePrint/E-Mail Details of Guest User


Guest Provisioning ServiceSchedule a Guest User

Guest Monitoring and Reporting


Guest Monitoring - CPI Monitor > Clients and Users window will show all Authentications including Guests

Identity and Authorisation can be found for Guests


Guest Activity Reporting - CPI

Variable Reporting

Periods

Customised Profile and Scheduling


Guest Monitoring - ISE

Monitor > Operations > Authentications window will show all Authentications including

Guests

Identity and Authorisation can be found for Guests


Guest Activity Reporting - ISE

Guest Reports

Drill Down Guest Detail

Summary


What We Have Covered…

What Guest Access Services are made of.

The need for a secured infrastructure to support isolated Guest traffic.

Unified Wireless is a key component of this infrastructure.

The Guest Service components are integrated in Cisco Wired and Wireless Solution.

Guest Access is one of the User Access Policy available to Control and Protect enterprise Borderless Network


Give us your feedback and receive a

Cisco Live 2015 T-Shirt!

Complete your Overall Event Survey and 5 Session

Evaluations.

• Directly from your mobile device on the Cisco Live

Mobile App

• By visiting the Cisco Live Mobile Site

http://showcase.genie-connect.com/clmelbourne2015

• Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected in the World of Solutions

on Friday 20 March 12:00pm - 2:00pm

Complete Your Online Session Evaluation

Learn online with Cisco Live! Visit us online after the conference for full

access to session videos and

presentations. www.CiscoLiveAPAC.com

http://showcase.genie-connect.com/clmelbourne2015

http://www.ciscoliveapac.com/

Thank you.

deploying wireless guest access - alcatron.net live 2015 melbourne/cisco live... · deploying...

Documents