designing unified guest access, wired and...
TRANSCRIPT
![Page 1: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/1.jpg)
BRKEWN-2016
Designing Unified Guest Access, Wired and Wireless
![Page 2: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/2.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 2
Housekeeping
We value your feedback—don't forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a ‘non-smoking’ venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times
![Page 3: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/3.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 4
Agenda
Overview: Guest Access as a Supplementary User Authentication
Wireless Guest Access Control and Path Isolation
Wired Guest Access Control and Path Isolation
Guest Authentication Portal
Guest Provisioning
Monitoring and Reporting
![Page 4: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/4.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKEWN-2016_c1
Guest Access OverviewEvolution to a Supplementary User Authentication
![Page 5: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/5.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 6
SiSi
SiSi
Data Center
Corporate LAN
Wireless LAN
DMZ
Enterprise Network
PublicInternet
Contractors
Consultant
Partners
Employees
Unknown or Guest
WAN
Several Access Methods, Numerous
Profiles
BusinessPartners
RemoteSite
Borderless Network Context
![Page 6: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/6.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 7
Guest Access Components
Guest
Customizable Login Page
SponsoredGuest Credentials
Existing Credential Stores
Parity forWired / WLAN
Centralized WebPage Management
Enterprise Directory
NAC Guest Server
Employee
FlexibleAccess Policies
ACS 5.1
Integrated Access Authentication
Centralized Accounting
802.1X/MABCompatibility
![Page 7: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/7.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 8
SSC
Employee(bad credential)
When to Use Web-Authentication?
802.1X
SSC
Employee
802.1XManaged 802.1X-devices
Known users
MAB(mac-address bypass)
Managed devices
Web AuthUsers without 802.1X devices
Users with Bad credentials
Guest
Web Auth is a supplementary authentication methodMost useful when users can’t perform or pass 802.1X
Primary Use Case: Guest AccessSecondary Use Case: Employee who fails 802.1X
WiFi AP
![Page 8: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/8.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKEWN-2016_c1
Wireless Guest Access Control and Path Isolation
![Page 9: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/9.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 10
Guest Access Control
LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame)
Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs
Control and data traffic tunneled to the controller via CAPWAP: data uses UDP 5247 control uses UDP 5246
Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID
Traffic isolation provided by VLANs is valid up to the switch where the controller is connected
Campus CoreLWAPP/CAPWAP
LWAPP/CAPWAP
WiSM WLAN Controller
Guest Emp Guest Emp
WirelessVLANs
Cisco WLAN Controller Deployments
CAPWAP—Control And Provisioning of Wireless Access Points
![Page 10: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/10.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 11
Path Isolation
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers
Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN
No need to define the guest VLANs on the switches connected to the remote controllers
Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels
Redundant EoIP tunnels to the Anchor WLC
2100 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC
Wireless LANController
Cisco ASA Firewall
Guest
LWAPP/CAPWAP
EoIP “Guest Tunnel”
Internet
Guest
DMZ or Anchor Wireless Controller
WLAN Controller Deployments with EoIP Tunnel
![Page 11: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/11.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 12
Guest Path Isolation
Open ports in both directions for:
EoIP packets IP protocol 97
Mobility UDP Port 16666 (non-secured) or 16667 (secured IPSec tunnel)
Inter-Controller CAPWAP (rel 5.0, 6.0, 7.0) Data/Control Traffic UDP 5247/5246
Inter-Controller LWAPP (before rel 5.0 ) Data/Control Traffic UDP 12222/12223
Optional management/operational protocols:SSH/Telnet TCP Port 22/23TFTP UDP Port 69NTP UDP Port 123SNMP UDP Ports 161 (gets and sets) and 162 (traps)HTTPS/HTTP TCP Port 443/80Syslog TCP Port 514RADIUS Auth/Account UDP Port 1812 and 1813
Mustbe Open!
Firewall Ports and Protocols
Do NOTOpen!
![Page 12: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/12.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 13
Guest Path Isolation Using VRF
Virtual Routing/Forwarding (VRF) is the L3 virtualization used in Enterprise Campus networks
Guest isolation is done by dedicated VRF instances
Campus Virtualization
802.1q, GRE, LSP,Physical Int, Others
802.1q or Others
GlobalLogical or Physical Int(Layer 3)
Logical or Physical Int(Layer 3)
Employee VRF
Guest VRF
![Page 13: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/13.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 14
Guest Path Isolation Using VRF
CAPWAP path isolation at access layer
L2 path isolation between WLC and default gateway
L3 VRF isolation from WLC to firewall guest DMZ interface
L3 Switches with VRF
Cisco ASA Firewall
Internet
CorporateAccess Layer
Corporate Intranet
Inside
Outside
Guest DMZ
Guest VRF
Global
Employee VRF
Guest VRF
Guest Provisioning
Wireless LANController
CAPWAP
Wireless Guest
Isolated L2 VLAN
WLC and VRF Virtualization
![Page 14: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/14.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKEWN-2016_c1
Wired Guest Access Control and Path Isolation
![Page 15: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/15.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 17
Wired Guest Access
Wired Guest Access Enforcement Point can be delivered in two different locations :Web Authentication on Catalyst Switches
Wired Guest Access Feature on Wireless LAN Controllers
Wired Guest Catalyst Web Auth
802.1xGuest VLAN Failover
Open (guest) VLAN
WLC WiredGuest Access
@
Wired GuestEnforcement Point
L3 Path Isolation
L2 Path Isolation
![Page 16: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/16.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 18
SwitchDHCP/DNS AAA Server
•Multiple Triggers•Single Port Config•Mostly Flex-auth
•802.1X Timeout•802.1X Failure•MAB Failure
1
Port Enabled,Pre-Auth ACL Applied
2
Host Acquires IP Address, Triggers Session State3
Host Opens Browser
Login Page
Host Sends Password4
Switch Queries AAA ServerAAA Server Returns Policy
Serverauthorizes user5
Switch Applies New ACL Policy 6
•Access VLAN only•Pre-Auth ACL must permit DHCP, DNS•ACL applies to port -> phones must use MDA
DHCP, ARP trigger State
Use Web Auth AAA Fail Policy for AAA outages
VLAN assignment not supported
•IP HTTP (Secure-)Server Enabled•User May be Prompted for Cert Trust
Wired (Guest) Access Basic Operation
![Page 17: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/17.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 19
Wired Guest L3 Path Isolation with VRF
Access using VLAN Isolation
Web Authentication by Catalyst switches
Wired Guest Isolation with VRF for L3 Isolation L3 Switches with VRF
Cisco ASA Firewall
Wired Guest
Isolated L2 VLAN
Internet
CorporateAccess Layer
Corporate Intranet
Inside
Outside
Guest DMZ
Guest VRF
Global
Employee VRF
Guest VRF
Guest Provisioning
![Page 18: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/18.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 20
WLC Wired Guest Access
Wired Guest ports provided in designated location and plugged into an Access Switch
The configuration on the Access switch puts these ports into wired guest – layer 2 VLAN
On a single WLAN Controller the Guest VLAN will be trunked into WLC
On a multi controller deploymentwith Auto Anchor mode the guestVLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller
Wired Guest Access by Wireless LAN Controllers
Wireless LANController
DMZ or Anchor Wireless LANController
Cisco ASA Firewall
Wired Guest
Isolated L2 VLAN
EoIP Tunnel
Internet
Corporate Intranet
Wireless Guest
![Page 19: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/19.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 21
WLC Wired Guest Access
Five guest LANs for wired guest access are supported
Admin can create wired guest VLANs on the WLC and associate it with the guest LAN
Web-auth is the default security on a wired guest LAN, but open and web pass-thru can also be used
No L2 security like 802.1x is supported
Multicast and broadcast traffic are droppedon wired guest VLANs to reduce the load on the overall network
Wired guest access is supported on a single guest WLC or on a Anchor-Foreign Guest WLC scenario
Deployment Requirements
![Page 20: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/20.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 22
Architecture Summary
Wireless is the preferred Guest Access technology because it provides no physical connectivity to corporate network
Wired Guest Access can be delivered by Catalyst Switches or Wireless LAN Controller
Anchor Controller in Guest DMZ allow for full Path Isolation from Access Point to Guest DMZ
VRF can be used for L3 Guest Isolation
Cisco ASA Firewall provides Internet access security and advanced security features for Guest control
![Page 21: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/21.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKEWN-2016_c1
Guest Services Portal
![Page 22: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/22.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 24
Guest Authentication Portal
Wireless and Wired Guest Authentication Portal is available in four modes:
Internal (Default Web Authentication Pages)
Customized (Downloaded Customized Web Pages)
External Using NAC Guest Server
External (Re-directed to external server)
![Page 23: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/23.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 25
Internal Web Portal
Wireless guest user associates to the guest SSID
Initiates a browser connection to any website
Web login page will displayed
Welcome Text
Fixed Text
Wireless Guest Authentication Portal
![Page 24: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/24.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 26
Wireless Guest Authentication Portal
Create your own Guest Access Portal web pages Upload the customized web page to the WLC Configure the WLC to use “customizable web portal” Customized WebAuth bundle can contain
22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages (in WCS 5.0 and up )
22 login successful pages (in WCS 5.0 and up)
Customizable Web Portal
![Page 25: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/25.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 27
Wired Guest Authentication Portal
Wired Auth-Proxy Banner
Configurable Welcome Text from IOS config
Catalyst Switches Internal Web Portal
Fixed Text
Welcome Text
(config)#ip admission auth-proxy-banner http ^C Here is what the auth-proxy-banner looks like ^C
![Page 26: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/26.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 28
Wired Guest Authentication Portal
Configurable HTML pages on bootflash: 4 Pages / 8KB each : login, success, expired, failure
Catalyst Switches Customizable Web Portal
Completely Customizable
Images must be embedded or external
4 files, 8KB max each(config)#ip admission proxy http login expired page file bootflash:expired.html(config)#ip admission proxy http login page file bootflash:login.html(config)#ip admission proxy http success page file bootflash:success.html(config)#ip admission proxy http failure page file bootflash:fail.html
![Page 27: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/27.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 29
Centralized Wireless and Wired Guest Portal
Multi-function standalone appliance
Customizable hotspot hosting
Sponsored guest access provisioning, verification, management
NAC Guest Server (NGS)
![Page 28: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/28.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 30
Wireless Guest
1) Administrator Creates WLAN Login Page on NGS
2) Wireless Guest Opens Web browser
3) Web traffic is intercepted by Wireless LAN Controller and redirected to Guest Server.
4) Guest Server returns centralized login page
(1)(2)
(4)AP WLCNGS
(3)
Redirect
Centralized Login Page
![Page 29: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/29.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 31
Wired Guest
1) Administrator Creates Wired Login Page on NGS
2) Wired guest opens Web browser
3) Web traffic is intercepted by switch and redirected to Guest Server.
4) Guest Server returns centralized login page
(1)(2)
(4)Switch
(3)
Redirect
Looks Exactly the Same As Wireless
![Page 30: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/30.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 32
Authentication and Authorization
1) Administrator Creates Wired Login Page on NGS
2) Wired guest opens Web browser
3) Web traffic is intercepted by switch and redirected to Guest Server.
4) Guest Server returns centralized login page
5) Guest submits credentials to switch
6) Switch authenticates credentials & controls access(1)
(2)
(4)Switch NGS
(3)
(5)POST to switch:username, pwd
AuthenticationAccess Control
(6)
Still Local
![Page 31: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/31.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKEWN-2016_c1
Guest Services Provisioning
![Page 32: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/32.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 34
Requirements for Guest Provisioning
Might be performed by non IT personal
Must deliver basic features, but might also require advanced features:
Duration
Start/end time
Bulk provisioning, …
Provisioning strategies :Lobby ambassador
Employees
![Page 33: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/33.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 35
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness
CiscoWireless LAN Control
Basic Provisioning
CiscoWireless Control System
Advanced Provisioning
CiscoNAC Guest Server
Dedicated Provisioning
Customer Server
Customized ProvisioningIncluded in Cisco Wireless LAN Solution
Additional CiscoProduct
CustomerDevelopment
![Page 34: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/34.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 36
Guest Provisioning Service : WLC
Lobby Ambassador accounts can be createddirectly on Wireless LAN Controllers
Lobby Ambassadors have limited guest feature and must create the user directly on WLC:
Create Guest User—up to 2048 entries
Set time limitation—up to 30 day
Set Guest SSID
Set QoS Profile
Cisco Wireless LAN Controller
![Page 35: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/35.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 37
Guest Provisioning Service : WCS
WCS offer specific Lobby Ambassadoraccess for Guest management only
Lobby Ambassador accounts can be created directlyon WCS, or be defined on external RADIUS/TACACS+ servers
Lobby Ambassadors on WCS are able to createguest accounts with advanced features like:
Start/end time and date, duration
Bulk provisioning
Set QoS Profiles
Set access based on WLC, Access Points, or location
Cisco Wireless Control System
![Page 36: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/36.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 38
Add a Guest User with WCSGuest Provisioning Service
![Page 37: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/37.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 39
Print/E-Mail Details of Guest UserGuest Provisioning Service
![Page 38: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/38.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 40
Schedule a Guest UserConfigure Controller Template > Schedule Guest User
Guest Provisioning Service
![Page 39: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/39.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 41
Guest Provisioning Service : NGS
Dedicated external server
Complete provisioning, accounting, reporting, and billing services
Advanced feature full sponsor and guest user policies
Large guest account base using RADIUS
Easy integration with clean access and WLC
Email and SMS notifications
Sponsor authentication through local database, LDAP or active directory
Cisco NAC Guest Server
![Page 40: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/40.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 42
Cisco NAC Guest Server
1. IT Administrator configures NGS:
Sponsor or LA access rights
Declare Guest Anchor WLC in NGS
Configure security/policy rules
2. IT Admin configures WLCto use Cisco NGS:
Define Guest SSID
Associate NGS as RADIUS ServerCorporateNetwork
Wireless LAN ControllerPolicy EnforcementGuest Web Portal
GuestVisitor, Contractor, Customer
NAC Guest ServerLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting
Lobby AmbassadorEmployee Sponsor
Internet
IT AdminNetwork/Solution Mgt
1
2
NGS Configuration
![Page 41: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/41.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 43
Cisco NAC Guest Server
Admin portal is required to configure the device
Admin Interface
![Page 42: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/42.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 44
Cisco NAC Guest Server
The sponsor account can be a local user inNGS, LDAP server or Active Directory Account
Sponsor Authentication: Local Account/AD
![Page 43: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/43.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 45
Cisco NAC Guest Server
Username Policy1. E-mail address2. First and last name3. Alphabetic, numeric
and special characters
Password Policy 1. Alphabetic characters
2. Numeric characters
3. Special characters
Guest Policy: Username/Password Policy
![Page 44: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/44.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 46
Cisco NAC Guest Server
Add the WLC that performs WebAuth as a RADIUS Client in the NGS
NGS uses standard RADIUS Attribute 27 (session-timeout)
WLC Integration: Guest Server Configuration
![Page 45: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/45.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 47
Cisco NAC Guest Server
Sponsor will have three ways to inform guest 1. Printing the details
2. Sending the details via e-mail
3. Sending the details via SMS
Informing Guest
![Page 46: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/46.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 48
Sponsor Portal: Create and Print Guest Access CredentialsCisco NAC Guest Server
![Page 47: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/47.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 49
Cisco NAC Guest Server
1. Sponsor creates Guest Account through dedicated NGS server
2. Credentials are delivered to Guest by print, email or SMS
3. Guest Authentication on Guest portal
4. RADIUS Request from WLC to Cisco NGS Server
5. RADIUS Response with policies (session timeout, …)
6. RADIUS Accounting with session information (time, login, IP, MAC, …)
7. Traffic can go through
CorporateNetwork
Wireless LAN ControllerPolicy EnforcementGuest Web Portal
GuestVisitor, Contractor, Customer
NAC Guest ServerLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting
Lobby AmbassadorEmployee Sponsor
Internet
RADIUS Requests
1
2
3
4
5
6
7
RADIUSAccounting
Guest User Creation
![Page 48: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/48.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 50
Lobby Ambassador—Guest Account Creation
Personal Settings
Several Ways to create Guest Accounts
Tools to Manage Guest Accounts
Cisco NAC Guest Server
![Page 49: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/49.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 51BRKEWN-2016_c1
Reporting and Monitoring
![Page 50: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/50.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 52
Cisco NAC Guest ServerSponsor Portal: Guest Reports and Logs
![Page 51: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/51.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 53
Aggregation of Guest Informations
NGS Aggregate Guest Reporting Informations
From WLC (RADIUS Accounting) : login, start/stop time, MAC@, Source IP@
From ASA (syslog) : Destination IP@/ports, URL logging, …
Wireless LANController
DMZ or Anchor Wireless LANControllerCisco ASA
Firewall
Internet
Corporate Intranet
Wireless Guest
NGSGuest Server
Syslog
RADIUS
ntp server 192.168.215.62
policy-map global_policyclass inspection_defaultinspect http
!service-policy global_policy global
logging enablelogging timestamplogging list WebLogging message 304001logging trap WebLogginglogging facility 21logging host inside 192.168.215.16
![Page 52: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/52.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 54
Guest Activity Reporting
![Page 53: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/53.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKEWN-2016_c1
Summary
![Page 54: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/54.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 56
Guest
SponsoredGuest
Wireless ControlSystem
Wireless LANController
From Wireless Guest Access …
![Page 55: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/55.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 57
Guest Parity forWired / WLAN
NGSGuest Server
SponsoredGuest
… to Unified Wired and Wireless Guest Access …
![Page 56: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/56.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 58
Active Directory
RADIUSProxy
Guest
Employee
SSC
EmployeeSponsored
Guest
Parity forWired / WLAN
Centralized Policy& Accounting
802.1X/MABCompatibilityEmployee
NGSGuest Server
… to Centralized Policy and Accounting
![Page 57: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/57.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 59
What We Have Covered…
What a Guest Access Service is made of
The need for a secured infrastructure to supportisolated Guest traffic. Unified Wireless is akey component of this infrastructure.
The Guest Service components are integratedin Cisco Wired and Wireless Solution.
Guest Access is one of the User Access Policy available to Control and Protect enterprise Borderless Network
![Page 58: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/58.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 60
Recommended ReadingBRKEWN-2016
![Page 59: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/59.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 61
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Preferred Access points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
![Page 60: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/60.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 62
Check the Recommended Reading brochure for suggested products available at the Cisco Store
Enter to Win a 12-Book Libraryof Your Choice from Cisco Press
Visit the Cisco Store in the World of Solutions, where you will be asked to enter this Session ID code
![Page 61: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/61.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 63
![Page 62: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/62.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 64BRKEWN-2016_c1
Additional SlidesEvolution to a Supplementary User Authentication
![Page 63: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/63.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 65
Authorized Access Non-User Devices
Who is on my network?
Can I manage the risk of using personal PCs?
Common access rights when on-prem, at home, on the road?
Endpoints are healthy?
Can I allow guests Internet-only access?
How do I manage guest access?
Can this work in wireless and wired?
How do I monitor guest activities?
How do I discover non-user devices?
Can I determine what they are?
Can I control their access?
Are they being spoofed?
Guest Access
Access Policy
Challenge in Building an Access Policy in a Borderless Network
![Page 64: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/64.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 66
Why Web Authentication for Guest?
User-based
Familiar
Ubiquitous
Clientless
![Page 65: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/65.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKEWN-2016_c1
Additional SlidesLWAPP/CAPWAP Controller Configurations
![Page 66: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/66.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 68
vlan 2name AP_Mgmt!interface FastEthernet0/1description link to APswitchport access vlan 2switchport mode access
Access Layer Switchvlan 3name Employee_VLAN!vlan 4name Guest_VLAN!interface Vlan3description Employee_VLANip address 10.10.3.1 255.255.255.0!interface Vlan4description Guest_VLANip address 10.10.4.1 255.255.255.0!interface GigabitEthernet1/0/1description Trunk Port to Cisco WLCswitchport trunk encapsulation dot1qswitchport trunk native vlan 2switchport trunk allowed vlan 2-4switchport mode trunkno shutdown
Cisco Catalyst Switch(Connected to WLAN Controller)
No Trunk Between AP and Access Layer Switch, Only AP Mgmt VLAN Defined
SVIs Corresponding to Each SSID Are Defined Here
Guest Access Control WLAN Controller Deployments
![Page 67: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/67.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 69
Guest Access Control WLAN Controller Deployments
Create the employee and guest VLAN in the controller
![Page 68: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/68.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 70
Guest Access Control WLAN Controller DeploymentsMap the employee/guest WLAN in the controllerto the respective employee/guest VLAN
![Page 69: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/69.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 71BRKEWN-2016_c1
Additional SlidesBuilding the EoIP Tunnel
![Page 70: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/70.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 72
Guest Path Isolation
Specify a mobility group for each WLC
Open ports for:Inter-Controller Tunneled Client Data
Inter-Controller Control Traffic
Configure the mobility groups and add the MAC-addressand IP address of the remote WLC
Create identical WLANs on the Remote and Anchor controllers
Create the Mobility Anchor for the Guest WLAN
Modify the timers in the WLCs
Check the status of the Mobility Anchors for the WLAN
Pros
Simple configuration
Overlay solution: no need to modify the network configuration
Cons
Support for wireless and wired (layer-2 adjacent) guest clients only
Limited to WLAN Controllers wireless deployments
Building the EoIP Tunnel
![Page 71: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/71.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 73
Guest Path Isolation
Each WLC is part of a mobility group
WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
![Page 72: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/72.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 74
Guest Path Isolation
Configure the mobility groups and add the MAC-addressand IP address of the remote WLCs
WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration
Anchor
Remote
![Page 73: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/73.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 76
Create the mobility anchor for the guest WLAN on Remote WLCs
WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
Guest Path Isolation
![Page 74: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/74.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 77
Create the Mobility Anchor for the guest WLAN on Anchor WLC
WLAN Controller Deployments with EoIP TunnelAnchor Controller Configuration
Guest Path Isolation
![Page 75: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/75.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 78
Path Isolation
Modify the timers on the Anchor WLCs
WLAN Controller Deployments with EoIP TunnelAnchor Controller
Check the status of the mobility anchors for the WLAN
![Page 76: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/76.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 79
Guest Network Redundancy
Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined
Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive
Once an Anchor WLC failure is detected a DEAUTH is send to the client
Remote WLC will keep on monitoring the Anchor WLC
Under normal conditions round-robin fashion is used to balance clients between Anchor WLCs
Campus Core
EtherIP“Guest Tunnel”
EtherIP“Guest Tunnel”
CAPWAP CAPWAP
Internet
Guest Secure Guest Secure
Secure Secure
WirelessVLANs
Guest VLAN 10.10.60.x/24Management 10.10.80.3
Management10.10.75.2
Management10.10.76.2
F1
A1 A2
Primary Link
Redundant Link
![Page 77: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/77.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 80
Path Isolation
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.50.10.26 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.10.51.1 255.255.255.0
!
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667
access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2
!
global (dmz) 1 interface
nat (inside) 1 10.70.0.0 255.255.255.0
static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255
access-group DMZ in interface dmz
Sample Firewall Configuration
![Page 78: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/78.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 81
Show Mobility Summary
Show Commands
![Page 79: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/79.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 82
Show Mobility AnchorShow Mobility Statistics
Show Commands
![Page 80: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/80.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 83
Show Commands—Remote andAnchor WLC
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. N/A
AP MAC Address................................... 00:14:1b:59:3f:10
Client State..................................... Associated
Wireless LAN Id.................................. 1
BSSID............................................ 00:14:1b:59:3f:1f
Channel.......................................... 64
IP Address....................................... Unknown
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... 5
Client E2E version............................... No E2E support
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Foreign
Mobility Anchor IP Address....................... 10.70.0.2
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. guest1
AP MAC Address................................... 00:00:00:00:00:00
Client State..................................... Associated
Wireless LAN Id.................................. 2
BSSID............................................ 00:00:00:00:00:01
Channel.......................................... N/A
IP Address....................................... 10.50.10.128
Association Id................................... 0
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Mirroring........................................ Disabled
QoS Level........................................ Silver
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.50.10.26
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest
VLAN............................................. 4
Show client detail mac_addressRemote Anchor
![Page 81: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/81.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 84BRKEWN-2016_c1
Additional SlidesWLC Wired Guest Configuration
![Page 82: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/82.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 85
WLC Wired Guest Access
Create a dynamic interface as guest LAN which will be the ingress interface
DHCP server information is not required
DHCP server information is required on the egress dynamic interface
Deployment Steps
![Page 83: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/83.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 86
WLC Wired Guest Access Configuration
Create wired WLAN as “Guest LAN” type
![Page 84: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/84.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 87
WLC Wired Guest Access Configuration
Assign the Ingress and Egress Interfaces
Ingress interface is the wired guest LAN
Egress interface could be the management or any dynamic interface
![Page 85: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/85.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 88
WLC Wireless and Wired Guest Configuration
Wireless and wired guest WLAN
![Page 86: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/86.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 89BRKEWN-2016_c1
Additional Slides
![Page 87: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/87.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 90
Wireless Guest Authentication PortalConfiguring Customized WebAuth with WCS
Download a sample copy of the customized WebAuth page from WCS
Customize the WebAuth page as per your requirements
Upload the newly customized WebAuth page to the Anchor WLC
Campus Core
CAPWAP CAPWAP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
![Page 88: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/88.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 91
Wireless Guest Authentication PortalDesign with Anchor WLC
Upload the customized web page to the Anchor WLC
Customized WebAuth bundle can contain22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages (in WCS 5.0 and up )
22 login successful pages (in WCS 5.0 and up)
Campus Core
LWAPP LWAPP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
Guest
WCS
![Page 89: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/89.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 92BRKEWN-2016_c1
Additional SlidesConfiguring External Web Portal
![Page 90: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/90.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 93
Campus Core
CAWAP CAPWAP
Internet
Guest Emp Guest Emp
Emp Emp
WirelessVLANs
GuestWLC
EternalWeb Server
Wireless Guest Authentication PortalExternal Web Server with WLC
![Page 91: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/91.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 94
4503-rk2#show run | i login.htmlip auth-proxy proxy http login page file bootflash:login.html
4503-rk2#more login.html<html>
<head><script type="text/javascript">
location.href="https://10.100.10.227:8443/sites/LWA/switch_login.html?redirect_url="+location.href;</script><noscript>
<meta HTTP-EQUIV="REFRESH" content="0;url=https://10.100.10.227:8443/sites/LWA/switch_login.html">
</noscript></head><body>
Redirecting ... continue <a href="https://10.100.10.227:8443/sites/LWA/switch_login.html">here</a> </body>
</html>
Javascript , meta tag or manual redirect
Customized “Magic” Login Page
• File is included in NGS 2.0.2 : /guest/sites/samples/switch_includes• To re-use this file, change “10.100.10.227” to the IP address of your NGS and “LWA” to the
name of your NGS hotspot for wired
Customized Wired PagesDesign Considerations: No Redirect CLI
![Page 92: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/92.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 95
Customized Wired PagesSwitch Config
ip device trackingip admission name IP_ADMIN_RULE proxy httpip admission proxy http login page file disk1:login.htmip admission proxy http success page file disk1:success.htmip admission proxy http fail page file disk1:fail.htmip admission proxy http login expired page file disk1:expired.htm!fallback profile WEB_AUTH_PROFILEip access-group PRE_WEBAUTH_POLICY inip admission IP_ADMIN_RULE!dot1x system-auth-control!interface Gigabit 1/0/5switchport mode accessswitchport access vlan 30authentication port-control autoauthentication fallback WEB_AUTH_PROFILEauthentication event fail action next-methoddot1x pae-authenticatordot1x tx-period 5!ip http serverip http secure-server
ip access-list extended PRE_WEBAUTH_POLICYpermit udp any any eq bootpspermit udp any any eq domainpermit tcp any host 10.100.10.227 eq 8443
Make sure to update the “Magic” Login Page with NGS IP address and hotspot name
Permit Traffic to NGS
Everything else is standard Web-Auth
![Page 93: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/93.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 96BRKEWN-2016_c1
Additional SlidesWCS Lobby Ambassador Configuration
![Page 94: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/94.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 97
Guest Provisioning Service
User created in WCS with Lobby Ambassador (LA) privilege
Lobby Ambassador user logs into the WCS to create guest user accounts
Lobby Ambassador Feature in WCS
![Page 95: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/95.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 98
Guest Provisioning Service
Associate the lobby admin with Profile and Location specific information
Lobby Ambassador Feature in WCS
![Page 96: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/96.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 99
Details About the Guest User(s)Guest Provisioning Service
![Page 97: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/97.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2016_c1 100
WCS Provisioning Service
1. Lobby Ambassador create Guest Account with policies
2. Guest Account credentials& rules are pushed to WLC
3. Credentials are delivered to Guest by Print or Email with customized Logo
4. Guest Authenticationon Guest portal
5. SNMP Trap with guest login information (MAC@, IP@, …)
6. Traffic can go throughCorporateNetwork
Wireless LAN ControllerPolicy EnforcementGuest Web Portal
GuestVisitor, Contractor, Customer
WCSLobby Ambassador PortalGuest Account DatabaseMonitoring & reporting`
Lobby AmbassadorEmployee Sponsor
Internet
1
2
3
4
5
6
Using Internal DB and Reporting Capabilities
![Page 98: Designing Unified Guest Access, Wired and Wirelessd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKEWN-2016.pdf · Existing Credential Stores. Parity for Wired / WLAN Centralized Web](https://reader033.vdocuments.mx/reader033/viewer/2022053013/5f105fbf7e708231d448cb34/html5/thumbnails/98.jpg)