Wireless Guest Access Design & Deployment ambassador/host portal Guest user creation and token generation Web portal—internal or external 3. Customizable guest screen Fully customizable

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Wireless Guest Access Design & Deployment

Tom Koenig

Wireless Product Manager

[email protected]


Guest Networking Drivers

Guest user integration: overcoming traditional solutions (modem port or parallel networks)

Seamless support for wireless and wired clients

Restricting access to enterprise internal resources

Allowing the establishment of VPN connections with guest userscorporate networks

Centralized management and control

Authentication/logging capabilities for guests


Access Control Path Isolation Services Edge

WAN MAN - Campus

Functions

Branch - Campus Data Center Internet Edge - Campus

Authenticate client (user, device, app) attempting to gain network access

Authorize client into a Partition (VLAN, ACL)

Deny access to unauthenticated clients

Maintain traffic partitioned over Layer 3 infrastructure

Transport traffic over isolated Layer 3 partitions

Map Layer 3 Isolated Path to VLANs in Access and Services Edge

Provide access to services:SharedDedicated

Apply policy per partition

Isolate Application environments if necessary

Network Virtualization ArchitectureA framework for providing Guest Access

VRFs

GRE MPLS

GuestSpecificFunctions

Identify wired and wireless guests

Authorize guests onto the guest ACL, VLAN or SSID

Keep Guest Traffic from reaching internal destinations

Steer guest traffic to the web-authentication appliances

Internet Access and Policies for Guests and Employees

Web-authentication, DHCP and DNS services for Guests

EoIP


Campus

Core

Wireless

VLANs

Access Control Cisco WLAN Controller Deployments

LWAPP tunnel is a layer 2 tunnel (encapsulates original Ethernet frame)

Same LWAPP tunnel used for data traffic of different SSIDs

Control and data traffic tunneled to the controller via LWAPP: data uses UDP 12222, control uses UDP 12223

Data traffic bridged on a unique VLAN corresponding to each SSID

Traffic isolation provided by VLANs is valid up to the switch where the controller is connected

LWAPP LWAPP

WiSM WLAN Controller

SiSi

SiSiSiSi

Guest Emp Guest Emp


Access Control End-to-End Wireless Traffic Isolation

VLAN isolation for standalone APs valid up to the first L3 hop

Standalone AP

GRE or LWAPP

GRE or LWAPP

Recommendation for controllers based deployments is to place them in a centralized location (data center or campus services block)

The Challenge

How to provide end-to-end guest traffic isolation, allowing internet access but preventing any other communications?


Path Isolation WLAN Controller Deployments with EoIP Tunnel

Use of EoIP tunnels to logically segment and transport the guest traffic between edge and anchor controllers

Other traffic (employee for example) still locally bridged on the corresponding VLAN

No need to define the guest VLANs on the switches connected to the edge controllers

Original guests Ethernet frame maintained across LWAPP and EoIP tunnels

EoIP supported across all WLAN controllers

2006 model cant terminate EoIP connections (no anchor role)

Guest WLAN

Controller (Anchor)

Wireless

VLANs

Campus

Core

EtherIPGuest Tunnel

EtherIPGuest Tunnel

LWAPP LWAPP

Internet

SiSi

SiSi SiSiEmp Emp

Guest Emp Guest Emp


Path Isolation WLAN Controller Deployments with EoIP Tunnel

Pros

Simple configuration

Overlay solution: no need to modify the network configuration

Cons

Supports for wireless guest clients only

Limited to WLAN controllers wireless deployments


Services EdgeGuest Network Services

Providing network services to guest users in a centralized location

Dedicated DHCP ad DNS services still controlled by the host organization

DNS services offered by external server

DHCP services offered by external server or web-auth appliance

Separate FW dedicated to Guest

FW in routed mode: NAT/PAT to return traffic through the proper FW

FW in transparent mode: static routes required on internet router


Web-authentication for Guest UsersTechnical Requirements

Common web-authentication system for wired and wireless clients

Deployed in a centralized fashion: authentication and authorization on a centralized in-band device

Record the activity of guest users while connected to the enterprise network

Force the acceptance of enterprise legal disclaimer before getting Internet connectivity

Used for billing purposes (in some cases)


Controller Guest Access Components Overview

1. Back-end segmentation (mobility anchor)

Separate the guest traffic from the corporate internal traffic via EoIP tunnels

2. Lobby ambassador/host portal

Guest user creation and token generation

Web portalinternal or external

3. Customizable guest screen

Fully customizable guest login screen

4. Back-end authentication

Local user database

External AAA authentication capable Wireless

VLANs

Campus

Core

LWAPP LWAPP

SiSi

SiSi SiSi

WCS

EtherIPGuest Tunnel

Emp Emp

Internet

Guest Emp Guest Emp

EtherIPGuest Tunnel


New Guest Features in WLAN Controller

Lobby Ambassador account role in WCS for guest user credential creation, monitoring, and deletion

Guest user IDs and passwords auto-generated or manually defined

Guest user account manageable via SNMP

Fully customizable login screen downloadable to controller

Image file will replace the original web authentication page on controller

TFTP download of 1MB of tar file for the web page


Lobby Ambassador Feature in WCS

Lobby Ambassador (LA) role created which only allows access to the Lobby Administrator screen in WCS

Runs on controller and WCS

Traps sent to notify when guest user account expires

WCS

Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp


Add a Guest User and Apply to Controllers

Apply to ControllerSelect the Controller


Guest User Now Applied to Controller


Create the Lobby Admin in WLC

Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp

Lobby Administrator Can Be Created in WLC DirectlyWLC


Add a Guest User on the WLC

Guest User List New


Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp

Web PortalInternal to WLC

Internal Web Login Page in WLC

WLC


Web PortalExternal Web Server

External

Web

Server

Web Portal in an External Web Server

Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp

WLC


Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp

Web Login Page on the Client

Wireless guest user associates to the guest SSID

Initiates a browser connection to any website

Web login page will displayed

Guest Wireless

Client

WCS


Custom Web Authentication

Custom web authentication page including the image file will replace the original Web Authentication page on a controller

One feature will be active at a time

The controller will allow downloading up to 1 MB of a tar file containing the web pages and image files via TFTP

The tar file will be untarred into the controllers file system

The web auth login page name will be pre-defined as login.html

The user will be allowed to preview the customized web authentication pages through the Controller Web UI


Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp

Configuring Customized WebAuth in WCS

WLCDownload the Sample File and Upload a Customized Web Page in WCS

WCS


Guest User DatabaseInternal

WLC

Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp

Use the Internal User Database of WLC


Guest User DatabaseExternal RADIUS

RADIUS

Server

Guest Emp

Wireless

VLANs

Campus

Core

LWAPP LWAPP

Internet

SiSi

SiSiEmp SiSi

Guest

Guest Emp

Emp

WLC

External RADIUS Can Be Used to Store Guest Usernames


External In-band Web Auth Appliance (CCA)Solution components: CAS (Clean Access Server) & CAM (Clean Access Manager) running on Linux Servers

Performance: 1 Gbps throughput with up to 2500 concurrent user authentications

Integration : with Kerberos, LDAP, RADIUS, Active Directory, S/Ident, and others

HA: support 2 nodes failover cluster or n+1 loadbalancing

CAS deployed in L3 In-Band Mode

Support for network scan (Nessus) of guest machines

Support for complete posture assessment (agent required on clients)

Guest Access Methods:

Authenticationless - via Single Guest Button or Email/Name/Location

Authentication - via GuestNet or Visitornetwork

Documents

Wireless Guest Access Design & Deployment ambassador/host portal Guest user creation and token generation Web portal—internal or external 3. Customizable guest screen Fully customizable