#clmel
Deploying Wireless Guest Access
BRKEWN-2014
Gareth Taylor, CCIE# 4243Systems EngineerCisco
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Agenda
• Overview
• Wireless Guest Access Control & Path Isolation
• Wired Guest Access Control & Path Isolation
• Guest Services Portal
• Guest Services Provisioning
• Guest Monitoring & Reporting
Overview: Guest Access as a Supplementary User Authentication
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Evolution of Network AccessAge of the Unified Access Network
Campus
Network
Internal
Resources
Branch
Network
Internet
LocationHealth Time
. . .
Employee
(Sales)Managed
Desktop?
Employee
(Sales) Managed
Desktop?
VPNEmployee
(Finance)Managed
Desktop?
Guest
ContractorGuest Game
ConsoleIP Camera
Mobile
WorkersPersonal
Devices
VPN
VPN
Hotspot
Wireless
EmployeeWireless
Employee
Security
Systems
Printer
(Payroll)
Printer
(Sales)
Access Method
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
SSC
Employee(bad credential)
When to Use Web-Authentication?
Web Auth is a supplementary authentication method
It is Most useful when users can’t perform or pass 802.1X
Primary Use Case: Guest Access
Secondary Use Case: Employee who fails 802.1X
802.1X
SSC
Employee
802.1XManaged 802.1X-devices
Known users
MAB(mac-address bypass)
Managed devices
Web AuthUsers without 802.1X devices
Users with Bad credentials
Guest
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Corporate vs GuestsWho = User Identity
802.1Q Trunk
VLAN 30
VLAN 50
EAP Authentication1
Accept with VLAN 302
Web Auth3
Accept with GUEST ACL4
ISE
Corporate
Resources
Internet
Users with Corporate Devices with their AD user id can be assigned to Employee VLAN
Guests authenticate via Web Auth and are assigned to a GUEST-ACL on the Guest VLAN
Employee
GuestDevice
CAPWAP
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Requirements for Secure Guest Access
Technical
Usability
Monitoring
No access until authorised Guest traffic should be segregated from the internal network Web-based authentication Bandwidth and QoS management Overlay onto existing enterprise network
No device reconfiguration, no client software required “Plug & Play” Easy administration by non-IT staff Splash screens and web content can differ by location “Guest network” must be free or cost-effective and non-disruptive
Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted
Logging & Monitoring: Auditing of location, MAC, IP address, username
Wireless Guest Access Control & PathIsolation
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
CAPWAP
Tunnel
CAPWAP
AP
CAPWAP AP
Access Control End-to-End Wireless Traffic Isolation
CAPWAP
Tunnels
The fact:
Traffic isolation achieved via CAPWAP valid from the AP to the WLAN Controller
The challenge:
How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications?
Why do we need it for Guest Access:
Extend traffic logical isolation end-to-end over L3 network domain
Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, bandwidth, etc.)
Securely transport the guest traffic across the internal network infrastructure to DMZ
CAPWAP
AP
CAPWAP
AP
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Intranet
SPG
AP AP
GuestGuestGuestEmployeeEmployeeEmployee
WebAuth Portal Characteristics
Small ~ Mid-Size Independent or Remote Branch
Distributed Guest WebAuth Portal in each Mobility Agent “MA”
Wireless Guest Traffic get’s it’s IP Address at Point of Presence “POP” at MA
WebAuth Portal on-box, Customisable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Pass thru/Consent, Logout Page
HTTPS and HTTP redirect for Wired and Wireless
Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador
Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing
Visibility: Flexible Netflow
Seamless Mobility L2 / L3 Roaming
MAMC/MA Cat3850
WebAuth
MA
WebAuth
AP
AP CAPWAPTunnels
FW
WebAuth
CPIISE
Converged Access Guest – Mid-Sized and Small Branch
WebAuth With Catalyst 3850 / 3650 / Sup8E Only (<250 APs, and no Guest Anchor)
Cisco Converged Access Deployment
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Data Center
CAPWAP Mobility
Tunnel
AP AP APAP
CAPWAPTunnels
GuestGuestGuest
EmployeeEmployeeEmployeeGuestEmployee
SPG
WebAuth Portal & GA Characteristics
Small ~ Mid-Size Independent Branch With Cat3650/3850
Central Guest WebAuth Portal in GA CT5760/CT5508/WiSM-2/CT2504 Centralised Wired & Wireless Guest Starting with 3.3.0SE Cat3650/3850 only acts as Foreign.
Wireless & Wired Guest Traffic get’s POP at GA
Provides granular centralised profiling ISE Policy Decision Point (PDP) of Guest devices
Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest.
– WebAuth Portal on-box, Customisable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Pass thru/Consent, Logout Page
– HTTPS and HTTP redirect for Wired and Wireless
– Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador
– Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing
– Visibility: Flexible Netflow
– Seamless Mobility L2/L3 Roaming
WebAuth
Intranet WLCGuest Anchor
MA MAMACA SwitchForeign
MC/MA
Cisco Converged Access Deployment
CPIISE
FW
Converged Access Guest – Mid-Sized and Small Branch
WebAuth Central Guest Anchor and “Converged Access” 3850 / 3650 / Sup8E (<250 APs per Branch)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
AP AP AP AP
WLC
WLCIntranet
Data Centre
CAPWAP MobilityTunnel
EoIP or CAPWAPTunnels
CentrialisedService block
Cat3750
WebAuth
WebAuth Portal & GA Characteristics
Large Independent Campus or Branch (No Converged Access) – “Classic Centralised CUWN”
Central Guest WebAuth Portal in GA CT5760/CT5508/WiSM-2/CT8510/CT2504
– Wireless Guest Traffic get’s its IP Address at GA – Point of Presence “POP”
– Provides granular centralised profiling (PDP) of Guest devices
– Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest– Use of up to 71 EoIP/CAPWAP Anchor tunnels with redundant Anchor WLC
– WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Pass thru/Consent, Logout Page
– HTTPS and HTTP redirect for Wired and Wireless
– Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador– Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class
assignment, Session-Timeout, Black Listing
– Seamless Mobility L2/L3 Roaming
Guest Anchor
Guest GuestGuestGuestEmploye
eEmploye
eEmploye
e
Employe
e
FW
CPIISE
Centralised WLC Guest Anchor “GA”Campus WebAuth
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Implementing Guest Path Isolation Using WLC
1. Specify a mobility group for each WLC
2. Open ports for:a) Inter-Controller Tunneled Client Data
b) Inter-Controller Control Traffic
c) EoIP/CAPWAP tunnel protocol
d) Other ports as required
3. Configure the mobility groups and add the MAC-address and IP address of the foreign WLC
4. Check the status of the Mobility Anchors for the WLAN
5. Create Guest VLAN on Anchor controller(s)
6. Configure identical WLANs on the Foreign and Anchor controllers
7. Configure the Mobility Anchor for the Guest WLAN
Building the EoIP/CAPWAP Tunnel
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Path Isolation
Open ports in both directions for:
EoIP packets (Classic Mobility Anchor) IP protocol 97
Mobility Control & New Mobility Data UDP Port 16666
Inter-Controller CAPWAP (rel 5.0+) Data/Control Traffic UDP 5247/5246
Optional management/operational protocols: SSH/Telnet TCP Port 22/23
TFTP UDP Port 69
NTP UDP Port 123
SNMP UDP Ports 161 (gets and sets) and 162 (traps)
HTTPS/HTTP TCP Port 443/80
Syslog TCP Port 514
RADIUS Auth/Account UDP Port 1812 and 1813
Firewall Ports and Protocols
Must
be Open!
Do NOT
Open!
For YourReference
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Foreign Configuration
Anchor and Foreign WLCs are configured in different Mobility Groups
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel - Anchor & Foreign Configuration
Configure the mobility groups and add the MAC-address and IP address of the foreign WLCs
Anchor
Foreign
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Anchor Configuration
Check the status of the mobility anchors for the WLAN
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel - Anchor & Foreign Configuration
Configure Guest VLAN on the Anchor WLC
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Anchor Configuration
Configure the mobility anchor for the guest WLAN on Anchor WLCs
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Path IsolationWLC Deployments with EoIP/CAPWAP Tunnel – Foreign Configuration
Configure the mobility anchor for the guest WLAN on Foreign WLCs
Wired Guest Access Control and PathIsolation
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Unified Wired and Wireless Deployment
AireOS WLC and IOS-XE WLC provide 2 approaches to solving this!
Allows organisations to leverage existing wireless infrastructure to provide guest access on the LAN
Lobby Administrator interface and captive portal provides ease of guest user provisioning and consistent network access
Enables the ability to leverage common guest user policies for both wired and wireless network access
WLC Wired Guest Access
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
WLC Guest Access for Wired LANAireOS WLC Overview
WirelessVLANs
Campus Core
EtherIP
“Guest
Tunnel”
EoIP/CAPW
AP
“Guest
Tunnel”
CAPWAP CAPWAP
Internet
SiSi
SiSi SiSiSecure Secure
Guest Secure Guest Secure
Wired Client
Layer-2 Switch
Wired Guest VLAN must be L2adjacent with WLC
Wired Guest VLAN can be fallback VLAN in 802.1x/EAP authentication on switch
Supported on CT2504, CT5508, CT8510, WiSM-2 series
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
1. Wired Guest ports provided in designated location at the Access Switch
2. The configuration on the Access switch puts these ports into wired guest layer-2 VLAN
3. On a single WLAN Controller the Guest VLAN will be trunked into WLC
4. On a multi controller deploymentwith Auto Anchor mode the guestVLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller
Wireless LAN
Controller
DMZ or Anchor
Wireless LANController
Cisco ASA Firewall
Wired Guests
Isolated L2 VLAN
EoIP Tunnel
Internet
Corporate
Intranet
Wireless Guests
WLC Wired Guest Access with EoIP/CAPWAPAireOS WLC - Wired Guest Access
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
WLC Wired Guest Access ConfigurationAireOS WLC - Wired Guest Access Deployment Steps
Create a dynamic interface as “Guest LAN” which will be the ingress “Foreign” interface
DHCP server information is not required on the ingress “Foreign” interface
DHCP server information is required on the egress “Anchor” dynamic interface
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
WLC Wired Guest Access Configuration
Create wired WLAN as “Guest LAN” type
AireOS WLC - Wired Guest Access Deployment Steps
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
WLC Wired Guest Access ConfigurationAireOS WLC - Wired Guest Access Deployment Steps – Foreign WLC
Assign the Ingress and Egress Interfaces
Ingress interface is the wired guest LAN
Egress interface could be the management or any dynamic interface
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
WLC Wired Guest Access ConfigurationAireOS WLC - Wired Guest Access Deployment Steps – Anchor WLC
Wireless and wired guest WLAN
Egress interface will be the wired guest desired dynamic interface
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Failed Dot1X/MAB at switch
CAPWAP Session to Guest Anchor Controller
IP Address Assignment
Guest Access at Guest Anchor Controller
Local WebAuth at Guest Anchor Controller
Guest Access at Guest Anchor Controller
Client Authorisation
IP Address Assignment
Client Authorisation
Open Guest Access
Web Authenticated Guest Access
Cisco Converged Access Deployment
Wireless Guest Access supported from FCS (3.2.0SE)
With IOS-XE 3.3.0SE ‘Wired’ Guest Anchor Access is introduced
‘tunnel-mode’ as the fallback method to Enterprise Level Security
Tunnels Wired Guest traffic to the Guest Anchor Controller
Works with SaNET based policies only
Can support up to 2000 Wired Clients
Up to 5 Wired Guest LANs can be configured
Each Wired Guest LAN can have multiple Guest Controllers for redundancy
Unified Wired and Wireless DeploymentIOS-XE WLC “CA” & Wired Guest Access
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Wired Guest Anchor Access With CAPWAPIOS-XE WLC “CA” Co-Located MC and MA Deployment Steps
Central Location / Data Centre-DMZ
Guest Anchor
DMZ
WAN
“CA”SwitchMC MA
Wired Guest User
wireless mobility group member ip
11.1.1.1 public-ip 11.1.1.1
guest-lan wga_lan 1
client vlan VLAN0042
security web-auth
mobility anchor
GA
wireless mobility group member ip
10.1.1.105 public-ip 10.1.1.105
policy-map type control subscriber
wga_policy
event session-started match-all
1 class always do-until-failure
1 activate service-template wga_temp
2 authorize
event authentication-failure match-all
1 class always do-until-failure
1 deactivate service-template wga_temp
service-template wga_temp
tunnel type capwap name wga_lan
guest-lan wga_lan 1
client vlan VLAN0042
security web-auth
mobility anchor 10.1.1.105
interface GigabitEthernet1/0/2
access-session port-control auto
service-policy type control subscriber
wga_policy
MA
MC
GA
ISE
CPI
Cisco Converged Access Deployment
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Wired Guest Anchor Access with CAPWAPIOS-XE WLC “CA” & Centralised MC, Distributed MAs
5508/5760
Data Centre-
DMZ
SiSi SiSi
SiSi
SiSi
Data CentreCampus Services
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
MC
GA
SiSi
CPI
ISE
MAMA MA MA
Wired Guest User
Cisco Converged Access Deployment
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Wired Guest Anchor Access with CAPWAPIOS-XE WLC “CA” & Centralised MC, Distributed MAs
5508/5760
Data Centre-
DMZ
SiSi SiSi
SiSi
SiSi
Data CentreCampus Services
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
MC
GA
SiSi
CPI
ISE
MAMA MA MA
Wired Guest User
Cisco Converged Access Deployment
wireless mobility group
member ip 10.1.1.105 public-
ip 10.1.1.105MC
wireless mobility group member ip
11.1.1.1 public-ip 11.1.1.1
guest-lan wga_lan 1
client vlan VLAN0042
security web-auth
mobility anchor GA
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Wired Guest Anchor Access with CAPWAPIOS-XE WLC “CA” & Centralised MC, Distributed MAs
5508/5760
Data Centre -
DMZ
SiSi SiSi
SiSi
SiSi
Data CentreCampus Services
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
MC
GA
SiSi
CPI
ISE
MAMA MA MA
Wired Guest User
Cisco Converged Access Deployment
wireless mobility group
member ip 10.1.1.105 public-
ip 10.1.1.105MC
policy-map type control subscriber
wga_policy
event session-started match-all
1 class always do-until-failure
1 activate service-template wga_temp
2 authorize
event authentication-failure match-all
1 class always do-until-failure
1 deactivate service-template wga_temp
service-template wga_temp
tunnel type capwap name wga_lan
guest-lan wga_lan 1
client vlan VLAN0042
security web-auth
mobility anchor 10.1.1.105
MA
wireless mobility group member ip
11.1.1.1 public-ip 11.1.1.1
guest-lan wga_lan 1
client vlan VLAN0042
security web-auth
mobility anchor GA
interface GigabitEthernet1/0/2
access-session port-control
auto
service-policy type control
subscriber wga_policy
MA
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Mobility Group
5508/5760
Data Centre-DMZ
SiSi SiSi
SiSi
SiSi
Data CentreCampus Services
SiSi
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
MC
ISE
Wired Guest User
MA
In this deployment
Wired Guest
Anchor
Access is NOT
supported
3850 / 3650 / Sup8E acting
as pure switch
with no
wireless
enabled
(no MA or MC
capability)
Cisco Converged Access Deployment
GA
CPI
Wired Guest Anchor AccessIOS-XE WLC - No Wired Guest Anchor without Wireless Enabled on 3850 / 3650 / Sup8E
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Publichttp://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
CUWN Service 4.2.x.x 5.0.x.x5.1.x.
x6.0.x.x 7.0.x.x 7.2.x.x 7.3.x.x 7.4.X.X 7.5.x.x 7.6.X.X
7.3.112 &
≥ 7.5 1IOS-XE
≥ 3.2.0SE1
Layer 2 and Layer 3 Roaming Y – – Y Y Y Y Y Y Y OK OK
Wireless Guest Anchor/Termination Y Y Y Y Y Y Y Y Y Y OK OK2
wIPS & AwIPS Rogue Detection Y – – Y Y Y Y Y Y Y OK OK3
Fast Roaming (CCKM) in a mobility group Y – – Y Y Y Y Y Y Y OK OK
Location Services Y – – Y Y Y Y Y Y Y OK OK
Radio Resource Management
(RRM)Y – – Y Y Y4 Y4 Y Y Y
OK5 OK5
Management Frame Protection
(MFP)Y – – Y Y Y Y Y Y Y
OK OK
AP FailoverY – – Y Y Y Y Y Y Y
OK6 OK6
Y = Compatibility in Classic Flat Mobility OK = Compatibility in New Mobility
NOTES:
1. New Mobility is only supported on AireOS CT2504/CT5508 & WiSM-2 platforms butdoes not form any IRCM or GA with CT7500/CT8500/v-WLC
2. Guest Anchor Termination is only supported on CT2504/CT5760/CT5508/WiSM-2. CT2504/CT5760/CT5508/WiSM-2/Cat3650&3850 all supported as a Foreign
3. Rogue Detector Mode not supported on CA mode with Cat3650/3850
4. In Release 7.2 RF Profiles and groups was introduced. RRM for release 7.2 and later is not backwardly compatible with previous releases.
5. RRM Converged Access is compatible with CUWN release 7.6+ but does not support RF Profiles and Groups introduced in 7.2
6. AP SSO in IOS 3.3.0SE for CT5760. AP Intra-OS Platform Fast Failover Supported. AP Inter-OS Platform Image Download & Reboot performed.
For YourReference
IRCM Compatibility Matrix
Guest Services Portal
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Wireless guest user associates to the guest SSID
Initiates a browser connection to any website
Web login page will displayed
Local WLC WebAuth “LWA” Guest Services PortalInternal Web Portal “LWA”
Fixed Welcome Text
Login Credentials
Wireless & Wired Guest Authentication Portal is available in 4 modes:
1. Internal (Default Web Authentication Pages) – aka: Local WebAuth “LWA”
2. Customised (Downloaded Customised Web Pages – Still “LWA”
3. External Using ISE for Radius Authentication – Still “LWA”
4. External (Re-directed to external server) – aka: External WebAuth “EWA” ISE Central WebAuth “CWA” is another version of this not covered today
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
“LWA” Guest Services Portal
Create your own Guest Access Portal web pages
Upload the customised web page to the WLC
Configure the WLC to use “customisable web portal”
Customised WebAuth bundle up to 5 Mb in size can contain
22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages
22 login successful pages
CustomisableWeb Portal “LWA”
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
“LWA” Guest Services Portal
Refer to CCO release notes IOS-XE 3.6.0SE or above
“After you upgrade to Cisco IOS XE Release 3.6.0 SE or above, the WebAuth success page behaviour is different from the behaviour seen in Cisco IOS XE Release 3.3.X SE. After a successful authentication on the WebAuth login page, the original requested URL opens in a pop-up window and not on the parent page. Therefore, we recommend that you upgrade the Web Authentication bundle so that the bundle is in the format that is used by the AireOS Wireless LAN Controllers.”
IOS-XE WLC Important Upgrade Note For YourReference
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Set in WLC > Security > WebAuth > Login
Or override at Guest WLAN
Option to use Pre-Auth ACL
External WebAuth “EWA” Guest Services PortalExternal Web Portal “EWA”
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
ISE “EWA” Guest Services PortalISE Web Portal “EWA”
Multi-Function Standalone/Distributed Appliance
CustomisableMulti-Portal Hosting
Sponsored Guest Access Provisioning, Verification, Management
ISE Guest Server
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
ISE “EWA” Wireless GuestISE “EWA” Centralised Login Page
1. Administrator Creates WLAN Login Page on ISE
2. Wireless Guest Opens Web browser
3. Web traffic is intercepted by Wireless LAN Controller and redirected to Guest Server.
4. Guest Server returns centralised login page
(1)(2)
(4)AP WLC ISE
(3)
Redirect
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
ISE “EWA” Wired GuestLooks Exactly the Same as Wireless
1. Administrator Creates Wired Login Page on ISE
2. Wired guest opens Web browser
3. Web traffic is intercepted by switch and redirected to Guest Server.
4. Guest Server returns centralised login page
(1)(2)
(4)Switch
(3)
Redirect
ISE
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
“EWA” Authentication and AuthorisationStill Local
1. Administrator Creates Wired Login Page on ISE
2. Wired guest opens Web browser
3. Web traffic is intercepted by switch and redirected to Guest Server.
4. Guest Server returns centralised login page
5. Guest submits credentials to switch
6. Switch authenticates credentials & controls access(1)
(2)
(4)Switch
(3)
(5)POST to switch:username, pwd
AuthenticationAccess Control
(6)ISE
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
CMX Visitor Connect 8.0Another type of “EWA” CPI
Device Specific / Location Specific
Login Screen
Wireless Clients
SOAP/XML
Rest APICAS Service (Location)
MSEConnect & Engage
Service MSE
HTTP 8083 redirect
at login1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
CMX Analytics TopologyCMX for Facebook Wifi
Device Specific / Location Specific
Login Screen
Wireless Clients
SOAP/XML
Rest APICAS Service (Location)
MSEConnect & Engage
Service MSE
HTTPS redirect
at login
First redirect, on
port 8084 then moved to
1
2
47
CPI
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Configuring CMX Visitor Connect VISITOR CONNECT
In MSE 8.0 we have
dramatically
simplified how Visitor
Connect is
configured, user only
needs to configure items to be collected
(i.e. email and name)
and zones that this
template will be used
at. First template will
be default for all
locations.
You can configure Social Authusers to have higher quota than non Social Auth users.
48
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
TERMS AND CONDITIONS;
REGISTRATION
CONNECTCMX Visitor ConnectLocation-Specific Guest Access
SIMPLIFIED SOCIAL
LOGIN
CUSTOM LANDING
PAGE/VIDEO
49
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Onboarding Methods Compared
Guest Method CMX Visitor Connect /
Facebook WifiCMX VisitorConnect (old)
CMX for Facebook Wifi (old)
WLC Based with and without ISE
MSE Image 8.0 7.6 Separate OVA N/A - Uses WLC image only
Authentication Oauth with Social
Credentialsi.e. FB, G+, Linkedin
Or Native FB
Oauth with Social
Credentialsi.e. FB, G+, Linkedin
Facebook only Guest Users in ISE or via PI / Cisco
Lobby Ambassador or AAA
Info to authenticator Credentials only (0Auth)
or Credentials and Packet Counts
Credentials only Credentials and packet counts Credentials
Disconnect New NSMP message for
force deauthenticationcontrolled by FB policy or
config (on WLC 8.0)
Session timeout on WLC Based on FB policy, after 2 hours
reconnect required
Configurable in PI or ISE
Requirements Standard MSE Standard MSE Special purpose VM plus PBR Standard WLC + ISE
50
For YourReference
Guest Services Provisioning
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Requirements for Guest Provisioning
Might be performed by non-IT user “Lobby Ambassador”
Must deliver basic features, but might also require advanced features: Duration,
Start/End Time,
Bulk provisioning
Reporting
Provisioning Strategies :
Lobby Ambassador
Employees
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Multiple Guest Provisioning Services
Cisco Guest Access Solution support several provisioning tools, with different feature richness.
CiscoWLC
Basic Provisioning
CPI Lobby Ambassador
Advanced Provisioning
CiscoIdentity Services Engine
Dedicated Provisioning
Custom Server
Customised ProvisioningIncluded in Cisco Wireless LAN Solution
Additional Cisco Product and Services
Highly Custom Development
CMXVisitor Connect
“B2V” Provisioning
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Provisioning Service
Lobby Ambassador accounts can be created directly on Wireless LAN Controllers
Lobby Ambassadors have limited guest feature and must create the user directly on WLC: Create Guest User – up to 2048 entries
Set time limitation – up to 35 weeks
Set Guest SSID
Set QoS Profile
Cisco Wireless LAN Controller (AireOS)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Provisioning ServiceCreate the Lobby Admin in WLC (AireOS)
Lobby administrator can be created in WLC directly
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Local WLC Guest ManagementPassword is Created
Quickly Create Guest with Time
and WLAN Profile
Guest Web Login
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Provisioning Service
CPI offer specific Lobby Ambassador access for Guest management only
Lobby Ambassador accounts can be created directly on CPI, or be defined on external RADIUS/TACACS+ servers
Lobby Ambassadors on CPI are able to create guest accounts with advanced features like:
Start/End time and date, duration,
Bulk provisioning,
Set QoS Profiles,
Set access based on WLC, Access Points or Location
Cisco Prime Infrastructure
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Provisioning ServiceLobby Ambassador Feature in CPI
Associate the lobby admin with Profile and Location specific information
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Provisioning ServiceAdd a Guest User with CPI
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Provisioning ServicePrint/E-Mail Details of Guest User
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Provisioning ServiceSchedule a Guest User
Guest Monitoring and Reporting
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Monitoring - CPI Monitor > Clients and Users window will show all Authentications including Guests
Identity and Authorisation can be found for Guests
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Activity Reporting - CPI
Variable Reporting
Periods
Customised Profile and Scheduling
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Monitoring - ISE
Monitor > Operations > Authentications window will show all Authentications including
Guests
Identity and Authorisation can be found for Guests
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Guest Activity Reporting - ISE
Guest Reports
Drill Down Guest Detail
Summary
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
What We Have Covered…
What Guest Access Services are made of.
The need for a secured infrastructure to support isolated Guest traffic.
Unified Wireless is a key component of this infrastructure.
The Guest Service components are integrated in Cisco Wired and Wireless Solution.
Guest Access is one of the User Access Policy available to Control and Protect enterprise Borderless Network
Q & A
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2014 Cisco Public
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live
Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected in the World of Solutions
on Friday 20 March 12:00pm - 2:00pm
Complete Your Online Session Evaluation
Learn online with Cisco Live! Visit us online after the conference for full
access to session videos and
presentations. www.CiscoLiveAPAC.com
Thank you.