7/22/2019 Wireless Guest Access
1/86
7/22/2019 Wireless Guest Access
2/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Deploying Wireless Guest AccessPaul Nguyen
BRKEWN-2013
7/22/2019 Wireless Guest Access
3/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Abstract
This session focuses on design requirements and deployment conside
wireless Guest access solution. It discusses the main components of aguest access solution including how to provide network access to visitguest traffic across the network that is safe and secure. Attendees wilto a detailed discussion on various guest access services directly on tcontrollers (WLC), management of Guest services using Cisco Prime (PI), and integration with the Identity Services Engine (ISE) for variousauthentication services such as sponsored and self-service options. Wdiscuss FlexConnect, Guest Anchor, and enhanced guest security with
This session is especially useful for those attendees responsible for thDeployment Operations and Management of Enterprise Campus WireIt is assumed that all those attending this session have a working knowswitching and routing, fundamentals in 802.1X and Network AdmissionKnowledge of 802.11 WLAN fundamentals and WLAN security is requ
7/22/2019 Wireless Guest Access
4/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Agenda
Overview : Guest Access as a Supplementary
Authentication
Guest Access Control & Path Isolation
Secure Guest in FlexConnect
Guest Authentication Portal
Guest Provisioning
Monitoring & Reporting
Demo
7/22/2019 Wireless Guest Access
5/86 2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Session Objectives
Understand what wireless Guest Access Service
of.
Learn about the importance of isolating Guest tr
See how guest access is integrated in Cisco Wi
Solution.
Securing FlexConnect is simple to understand a
Discover how Cisco ISE enhances Guest Servic
7/22/2019 Wireless Guest Access
6/86
Guest Access Overview
7/22/2019 Wireless Guest Access
7/86 2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Evolution of Network AccessAge of the Borderless Network LocationHealth
Campus
Network
Branch
Network
Internet
Employee
(Sales)
Managed
Desktop?
Employee
(Sales)
Managed
Desktop?
VPN
Guest
ContractorGuest Game
Console
IP Camera
Mobile
Workers
Personal
Devices
VPN
VPN
Hotspot
Wireless
Employee
Security
Systems
Printer
(Sales)
7/22/2019 Wireless Guest Access
8/86 2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Context-Based AccessWho = User Identity
Known/Managed Users (Long-term)
Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Co
Primary Auth Methods: 802.1X or Agent-based
Considerations:
Identity Stores
EAP types and supplicant
Unknown/Unmanaged Users (Temporary or Infrequent AcceExamples: Guests, Visitors, Short-term Partners/Contractors
Primary Auth Method: Web authentication
Considerations:
Web Redirection and Authentication Portals
Guest Provisioning and Identity Stores
7/22/2019 Wireless Guest Access
9/86 2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Corporate vs Guests
CAPWAPCAPWAP
802.1Q Trunk
VLAN 30
VLAN 50
EAP Authentication1
Accept with VLAN 302
Web Auth3
Accept with GUEST4
ISE
Users with Corporate Devices with their AD user id can be assignedEmployee VLAN
Guests authenticate via Web Auth and are assigned to a GUEST-A
the Guest VLAN
Employee
GuestDevice
7/22/2019 Wireless Guest Access
10/86 2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Requirements for Secure Guest AccessTechnical
Usability
Monitoring
No access until authorized
Guest traffic should be segregated from the inter
Web-based authentication
Full auditing of location, MAC, IP address, userna Overlay onto existing enterprise network
Bandwidth and QoS management
No laptop reconfiguration, no client software req
Plug & Play
Splash screens and web content can differ by loca
Easy administration by non-IT staff
Guest network must be free or cost-effective a
Mandatory acceptance of disclaimer or Acceptabbefore access is granted
Logging and Monitoring
Must not require guest desktop software or conf
7/22/2019 Wireless Guest Access
11/86 2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guest Access Components
Guest
CustomizableLogin Page
Existing Cred
Parity forWired / Wireless
Centralized WebPage Management
Enterprise
NAC Gue
Employee
FlexibleAccess Policies
ACS 5.1
Integrated Access Authentication
Centralized Accounting
802.1X/MABCompatibility
F A C C
M S
C
Identity Services Engine
7/22/2019 Wireless Guest Access
12/86
Guest Access Control &
Path Isolation
7/22/2019 Wireless Guest Access
13/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
CAPWAP
CAPWAP APs
CAPWAP AP
Access ControlEnd-to-End Wireless Traffic Isolation
The fact
Traffic isolation achievedvia CAPWAP valid from the
AP to the WLAN Controller
The challenge
How to provide end-to-end
wireless guest traffic
isolation, allowing internet
access but preventing any
other communications?
CAPWAP
7/22/2019 Wireless Guest Access
14/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Path IsolationWhy Do We Need It for Guest Access?
Extend traffic logical
isolation end-to-end overL3 network domain
Separate anddifferentiate the guesttraffic from the corporateinternal traffic (security
policies, QoS, bandwidth,etc.)
Securely transport theguest traffic across theinternal networkinfrastructure to DMZ
CAPWAP
CAPWAP
7/22/2019 Wireless Guest Access
15/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guest Access Control
CAPWAP tunnel is a Layer 2 tunnel(encapsulates original Ethernet frame)
Same CAPWAP tunnel used for datatraffic of different SSIDs
Control and data traffic tunneledto the controller via CAPWAP:datauses UDP 5247controluses UDP 5246
Data traffic bridged by WLAN controller
on a unique VLAN corresponding toeach SSID
Traffic isolation provided by VLANs isvalid up to the switch where thecontroller is connected
Campus CorCAPWAP
WiSM WLA
Guest Emp CAPWAP - Control And Provisioning of Wireless Access Points
Cisco WLAN Controller Deployments
WirelessVLANs
7/22/2019 Wireless Guest Access
16/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Solution #1: Path Isolation using EoIP
Use of up to 71 EoIP tunnels to logically segment andtransport the guest traffic between remote and anchor
controllers Other traffic (employee for example) still locally bridged at
the remote controller on the corresponding VLAN
No need to define the guest VLANson the switches connected to theremote controllers
Original guests Ethernet frame maintained acrossCAPWAP and EoIP tunnels
Redundant EoIP tunnels to theAnchor WLC
virtual WLC models can not terminate EoIP connections(no anchor role) or support IPSec Encrypted Tunnels onthe remote WLC
2500 can now support up to 15 EoIP tunnels.
Cisco ASA Firewall
CAPWAP
EoIP
Guest Tunnel
Inte
WLAN Controller Deployments with EoIP Tunnel
Guests
7/22/2019 Wireless Guest Access
17/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Using EoIP Pings (data path)functionality Anchor WLC reachability
will be determined Foreign WLC will send pings at
configurable intervals to see if AnchorWLC is alive
Once an Anchor WLC failure isdetected a DEAUTH is send tothe client
Remote WLC will keep on monitoringthe Anchor WLC
Under normal conditions round-robinfashion is used to balance clientsbetween Anchor WLCs
Guest Network Redundancy
Campus Core
EtherIP
Guest
Tunnel
CAPWAP
Internet
Guest Secure
Secure Secure
Wireless
VLANs
Guest VLAN 10.10.60.x/24
Management 10.10.80.3
M
1
F1
A
Primary Link
Redundant Link
7/22/2019 Wireless Guest Access
18/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Implementing Guest Path Isolation Using WLC
1. Specify a mobility group for each WLC
2. Open ports for: Inter-Controller Tunneled Client Data
Inter-Controller Control Traffic
EoIP tunnel protocol
Other ports as required
3. Create Guest VLAN on Anchor controller(s)
4. Create identical WLANs on the Remote and Anchor controll5. Configure the mobility groups and add the MAC-address
and IP address of the remote WLC
6. Create the Mobility Anchor for the Guest WLAN
7. Modify the timers in the WLCs
8. Check the status of the Mobility Anchors for the WLAN
Building the EoIP Tunnel
7/22/2019 Wireless Guest Access
19/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guest Path Isolation
Anchor and Remote WLCs are configured in different Mobility Groups
WLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
7/22/2019 Wireless Guest Access
20/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Configure Guest WLANs on the Remote and Anchor controllers
Configure Guest VLAN on the Anchor WLC
Guest Path IsolationWLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration
7/22/2019 Wireless Guest Access
21/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guest Path Isolation
Configure the mobility groups and add the MAC-address and IP address
WLCs
WLAN Controller Deployments with EoIP TunnelAnchor and Remote Controller Configuration
Anc
Remote
7/22/2019 Wireless Guest Access
22/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Create the mobility anchor for the guest WLAN on Remote WLCs
Guest Path IsolationWLAN Controller Deployments with EoIP TunnelRemote Controller Configuration
7/22/2019 Wireless Guest Access
23/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Create the Mobility Anchor for the guest WLAN on Anchor WLC
Guest Path IsolationWLAN Controller Deployments with EoIP TunnelAnchor Controller Configuration
7/22/2019 Wireless Guest Access
24/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Modify the timers and DSCP on the Anchor WLCs
Path IsolationWLAN Controller Deployments with EoIP TunnelAnchor Controller
Check the status of the mobility anchors for the WLAN
7/22/2019 Wireless Guest Access
25/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guest Path Isolation
Open ports in both directions for:
EoIP packets IP protocol 97
Mobility UDP Port 16666
Inter-Controller Data/Control Traffic UDP 5247/5246
Optional management/operational protocols:
SSH/Telnet TCP Port 22/23
TFTP UDP Port 69 NTP UDP Port 123
SNMP UDP Ports 161(gets and sets) and 162(traps)
HTTPS/HTTP TCP Port 443/80
Syslog TCP Port 514
RADIUS Auth/Account UDP Port 1812 and 1813
Mustbe Open!
Firewall Ports and Protocols
S l ti #2 G t P th I l ti i VRF
7/22/2019 Wireless Guest Access
26/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Solution #2: Guest Path Isolation using VRF
Virtual Routing / Forwarding (VRF) or VRF- lite is the L3 virtua
in Enterprise Campus networks
Guest isolation is done by dedicated VRF instances
802.1q, GRE, MPLS/LSP,
Physical Int, Others
GlobalLogical or Physical Int
(Layer 3)
Employee VRF
Guest VRF
Campus Virtualization
G t P th I l ti i VRF
7/22/2019 Wireless Guest Access
27/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guest Path Isolation using VRF
CAPWAP Path Isolation atAccess Layer
L2 Path Isolation between WLCand Default Gateway
L3 VRF Isolation from WLC toFirewall Guest DMZ interface L3 S
Corporate
Access Lay
Corporate
Intranet
Emplo
Gue
Guest Provisioning
Wireless LAN
Controller
CAPWAP
Isolated L2 VLAN
WLC and VRF Virtualization
Guests
Wi l G t A
7/22/2019 Wireless Guest Access
28/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Wireless Guest Access
PI
LAN
Internet
Cisco Unified Wireless
NoDMZ Controller
Cisco Unified Wireless
VRF
C
Provisioning Portal Yes Yes User Login Portal Yes Yes
Traffic Segmentation VLANs thru Network VRF thru Network
User Policy Management Yes Yes
Reporting Yes Yes
Overall Functionality Medium High
Overall Design Complexity Medium High
No DMZ WLC
PI
LAN
Internet
VRF
Deployment Options Summary
7/22/2019 Wireless Guest Access
29/86
Securing Guest with FlexConnect
Fle Connect and E ternal WebA th
7/22/2019 Wireless Guest Access
30/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
FlexConnect and External WebAuth
Branch
WAN
URL/ACL
URL/ACL
Radius
Auth
Radius AuthWebauth
VLAN Assignm
ISE for external webauth w
central authentication with l
Guest client is provided withto ISE
Clients does webauth with I
Guest moves to local switch
Guest with FlexConnect
7/22/2019 Wireless Guest Access
31/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
WLC - Virtual Controller (FlexConnect Mode)
DMZ VLAN
Anchor Controller
ASA Firewall
Cisco 3750 Switch
Identity Services Engine
Active Directory Server
Certificate Authority Server
Internet
Corporate
Intranet
EOIPTunnel
Branch VLAN
AP
Guests
Corporate
Identity Branch O
Guest with FlexConnect
CWA on Wireless Controllers
7/22/2019 Wireless Guest Access
32/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
CWA on Wireless Controllers
GuestContractor
Blocking non-HTTP/DHCP/DNS Traffic Access Point
ISE
Guest-SSID
WLC
AD / CA
MAB
Default Policy
ISE Guest DB
Redirect ACL&
URL Redirect
Foreign ControllerStep-by-Step
7/22/2019 Wireless Guest Access
33/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Pre-Requisites
Foreign ControllerStep-by-Step
7/22/2019 Wireless Guest Access
34/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Configure
Interfaces
Configure
Mobility Group Members
1
2
Foreign ControllerStep-by-Step
7/22/2019 Wireless Guest Access
35/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Configure
Interfaces
Configure
Mobility Group Members
Configure WLAN
Configure Mobility Anchors
1
2
3
4
10
Anchor ControllerStep-by-Step
7/22/2019 Wireless Guest Access
36/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Pre-Requisites Allow A
CWA (U
NOT Required
Anchor ControllerStep-by-Step
7/22/2019 Wireless Guest Access
37/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Configure
Interfaces
Configure
Mobility Group Members
1
2
Anchor ControllerStep-by-Step
7/22/2019 Wireless Guest Access
38/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Configure
Interfaces
Configure
Mobility Group Members
Configure WLAN
Configure Mobility Anchors
1
2
3
4
Review Wireless CWA Config
7/22/2019 Wireless Guest Access
39/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
CWASession FlowISE Server
7/22/2019 Wireless Guest Access
40/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Foreign WLCISE Server
Anchor WLC
Guest SSID
EoIP Tunnel10.1.100.61/ 00:50:56:B0:01:0E 10.10.20.5/ D0:c2:82:dd:88:00
CWASession FlowISE Server
7/22/2019 Wireless Guest Access
41/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Foreign WLCS Se e
Anchor WLC
User Open Browser
EoIP Tunnel10.1.100.61/ 00:50:56:B0:01:0E 10.10.20.5/ D0:c2:82:dd:88:00
CWASession FlowISE Server
7/22/2019 Wireless Guest Access
42/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Foreign WLCAnchor WLC
User Open Browser
EoIP Tunnel10.1.100.61/ 00:50:56:B0:01:0E 10.10.20.5/ D0:c2:82:dd:88:00
7/22/2019 Wireless Guest Access
43/86
Guest Services Portal
When to Use Web-Authentication ?
7/22/2019 Wireless Guest Access
44/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
SSC
Employee(bad credentia
Web Auth is a supplementaryauthentication method
Most useful when users cant perform or pass 802.1X
Primary Use Case: Guest Access
Secondary Use Case: Employee who fails 802.1X
802.1X
SSC
Employee
802.1XManaged 802.1X-devices
Known users
MAB(mac-address bypass)
Managed devices
Web AuthUsers without 802.1X d
Users with Bad crede
Guest
Guest Authentication Portal
7/22/2019 Wireless Guest Access
45/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Wireless Guest Authentication Portal is available in 4 mo
Customized (Downloaded Customized Web Pages) External Using ISE Guest Server
External (Re-directed to external server)
Internal (Default Web Authentication Pages)
Wireless Guest Authentication Portal
7/22/2019 Wireless Guest Access
46/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Wireless Guest Authentication PortalInternal Web Portal
Wireless guest user associates to
the guest SSID
Initiates a browser connection to
any website
Web login page will displayed
Fixed We
Login Cr
Wireless Guest Authentication Portal
7/22/2019 Wireless Guest Access
47/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Create your own Guest Access Portal web pages
Upload the customized web page to the WLC
Configure the WLC to use customizable web portal
Customized WebAuth bundle up to 5 Mb in size can conta
22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages
22 login successful pages
Customizable Web Portal
Wireless Guest Authentication Portal
7/22/2019 Wireless Guest Access
48/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
External Web Portal
Set in WLC > Security >
WebAuth > Login
Or override at Guest WLAN
Option to use Pre-Auth
ACL
Wireless Guest
7/22/2019 Wireless Guest Access
49/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
1) Administrator Creates WLAN Login Pageon ISE
2) Wireless Guest Opens Web browser
3) Web traffic is intercepted by WirelessLAN Controller and redirected to GuestServer.
4) Guest Server returns centralized loginpage
(2)
(4)AP WLC
(3)Redirect
Centralized Login Page
7/22/2019 Wireless Guest Access
50/86
Guest Services Provisioning
Requirements for Guest Provisioning
7/22/2019 Wireless Guest Access
51/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Might be performed by non-IT user
Must deliver basic features, but might also requadvanced features:
Duration,
Start/End Time,
Bulk provisioning, Provisioning Strategies :
Lobby Ambassador
Employees
Multiple Guest Provisioning Services
7/22/2019 Wireless Guest Access
52/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Cisco Guest Access Solution support several provisioning tools
different feature richness.
CiscoWLC
Basic Provisioning
Cisco Prime InfrastructureAdvanced Provisioning
Cisco
Identity Services Engine
Dedicated Provisioning
Cust
CustoIncluded in Cisco Wireless LAN Solution
Additional Cisco Product
Cus
Guest Provisioning Service : WLC
7/22/2019 Wireless Guest Access
53/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Lobby Ambassador accounts can be created directly on W
Controllers
Lobby Ambassadors have limited guest feature and must c
user directly on WLC:
Create Guest Userup to 2048 entries
Set time limitationup to 35 weeks
Set Guest SSID
Set QoS Profile
Cisco Wireless LAN Controller
Guest Provisioning Service
7/22/2019 Wireless Guest Access
54/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Lobby administrator can be created in WLC directly
Create the Lobby Admin in WLC
Local WLC Guest Management
7/22/2019 Wireless Guest Access
55/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Password i
Quickly Create Guest
with Time and WLAN
Profile
Guest Provisioning Service : PI
7/22/2019 Wireless Guest Access
56/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Cisco Prime Infrastructure offers specific Lobby Ambassad
for Guest management only
Lobby Ambassador accounts can be created directly on PI,
defined on external RADIUS/TACACS+ servers
Lobby Ambassadors on PI are able to create guest accoun
advanced features like:
Start/End time and date, duration,
Bulk provisioning,
Set QoS Profiles,
Set access based on WLC, Access Points or Location
Cisco Prime Network Control System
Guest Provisioning ServiceL bb A b d F t i Ci P i
7/22/2019 Wireless Guest Access
57/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Associate the lobby admin with Profile and Location specific info
Lobby Ambassador Feature in Cisco Prime
Guest Provisioning ServiceAdd G t U ith PI
7/22/2019 Wireless Guest Access
58/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Add a Guest User with PI
Guest Provisioning ServicePrint/E-Mail Details of Guest User
7/22/2019 Wireless Guest Access
59/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Print/E Mail Details of Guest User
Guest Provisioning ServiceSchedule a Guest User
7/22/2019 Wireless Guest Access
60/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Schedule a Guest User
7/22/2019 Wireless Guest Access
61/86
Cisco TrustSec Guest Services
Cisco ISE Guest ServerGuest User Creation
Lobby AmbaEmployee Sponsor
7/22/2019 Wireless Guest Access
62/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
1. Sponsor creates Guest Account
through dedicated ISE server
2. Credentials are delivered to Guestby print, email or SMS
3. Guest Authentication on Guest portal
4. RADIUS Request from WLC to
Cisco ISE Server
5. RADIUS Response with policies
(session timeout, )
6. RADIUS Accounting with session
information (time, login, IP, MAC, )
7. Traffic can go through
Guest User Creation
CorporateNetwork
WirPolicy
Guest
GuestVisitor, Contractor, Customer
ISE Lobb
Gues
Mon
RADIUS Requests
2
3
4
5
6
7
RADIUS
Accounting
Web Auth and Guest Access
7/22/2019 Wireless Guest Access
63/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
WLC 7.0Supports LWA; 7.2adds CWA support
ISE Guest Services requiresaccount activation; Initial webauth must be against ISEguest portal (LWA or CWA). Asa result
o Requires ISE be the web authportal for LWA; No support forhosting guest portal on WLC
o For anchor controllerdeployments, requires pinholethrough DMZ firewall back toISE PSN on tcp/8443 fromguest IP address pool.
Wireless Considerations
LWA vs CWA piggybacks on MAB authentication policy rule
Web Auth and Guest Access
7/22/2019 Wireless Guest Access
64/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
LWA vs CWA piggybacks on MAB authentication policy rule.Configure:
If User Not Found = Continue (default Reject)
If MAC address lookup fails, reject the request andsend access-reject.
If MAC address lookup returns no result, continue
the process and move to authorization
URL Redirection
7/22/2019 Wireless Guest Access
65/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Redirect URL: For CWA, Client Provisioning, and Posture, Ureturned as a Cisco AV-pair RADIUS attribute.
Ex: cisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Redirect ACL:Access devices must be locally configured withat specifies traffic to be permitted (= redirected) or denied (redirection)
ACL value returned as a named ACL on NADEx: cisco:cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRE
ACL entries define traffic subject to redirection (permit) and traffic toredirection (deny)
Port ACL:ACL applied to the port (default ACL, dACL, namethat defines traffic allowed through port prior to redirection
Central Web Auth, Client Provisioning, Posture
Common URLs for Redirection
http://www.youtube.com/watch?v=-3quWNKB6w8&feature=player_embeddedhttp://www.meridian-apps.com/app_demohttp://www.meridian-apps.com/editor_demohttp://www.meridian-apps.com/editor_demohttp://www.meridian-apps.com/app_demohttp://www.youtube.com/watch?v=-3quWNKB6w8&feature=player_embedded7/22/2019 Wireless Guest Access
66/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
URL Redirect for Central Web AuthCisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue
URL Redirect for Client Provisioning and Posture
Cisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue
URL Redirect ACLCisco:cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRE
LWA URL for Default ISE Guest Portal:https://ip:8443/guestportal/portal.jsp
LWA URL for Custom ISE Guest Portal:
https://ip:8443/guestportal/portals/ClientPortalName/portal.jsp CWA URL redirect for Custom ISE Guest Portal:
Cisco:cisco-av-pair=url-redirect=https://ip:8443/guestportal/gateway?portal=ClientPortalName&=SessionIdValue&action=cwa
ISE Sponsored GuestsSponsor Portal
7/22/2019 Wireless Guest Access
67/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Customizable WebPortal for Sponsors as
well
Authenticate Sponsorswith corporatecredentials
Local Database
Active Directory
LDAP
RADIUS
Kerberos
Guest Portal Localization
Several Languages are
7/22/2019 Wireless Guest Access
68/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Several Languages are
Supported
Natively in ISE 1.1
All guest user pages aretranslated:
Authentication page
Acceptable usage policy
Success/failure page
7/22/2019 Wireless Guest Access
69/86
ISE Self-Registration
7/22/2019 Wireless Guest Access
70/86
2013 Cisco and/or its affiliates All rights reservedBRKEWN-2013 Cisco Public
4. Guest is re-directed again to login again with auto generated username
5. Guest is provisioned with Authorization
Policy for Web Access Only
6. Acc
via sett
GUEST
Identity Store
Internet
ISE Guest User Portal Settings
7/22/2019 Wireless Guest Access
71/86
2013 Cisco and/or its affiliates All rights reservedBRKEWN-2013 Cisco Public
Guest Portals define what
Guests Users will be
allowed to perform
Guests can changepassword
Guests change password
at first login
Guests can be allowed to
download the posture
client
Guests can do self service
Guests can be allowed to
do device registration
Cisco ISE Guest ServerSponsor Authentication: Local Account/AD
7/22/2019 Wireless Guest Access
72/86
2013 Cisco and/or its affiliates All rights reservedBRKEWN-2013 Cisco Public
Integrate with Active Directory
Order Priority Sequence to AD > Internal
Assign u
Cisco ISE Guest ServerGuest Portal Customization
7/22/2019 Wireless Guest Access
73/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Multi-Portal Policies
Password Policy
Time Profiles
Cisco ISE Guest ServerSponsor Portal
7/22/2019 Wireless Guest Access
74/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
https://:8443/sponsorportal/
Cisco ISE Guest Server
SponsorGuest Account Creation
7/22/2019 Wireless Guest Access
75/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Personal Settings
Create/View/Modify
Guest Accounts
Tools to Manage
Guest Accounts
Email / Print / SMS
7/22/2019 Wireless Guest Access
76/86
Guest Monitoring, Reporting andTroubleshooting
Live Guest Verification - ISE
Monitor > Operations > Authentications window will show al
7/22/2019 Wireless Guest Access
77/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Monitor > Operations > Authentications window will show al
Authentications including Guests
Identity and Authorization can be found for Guests
Guest Monitoring - PI
Monitor > Clients and Users window will show all Authenticatio
Guests
7/22/2019 Wireless Guest Access
78/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guests
Identity and Authorization can be found for Guests
Guest Activity Reporting - ISE
7/22/2019 Wireless Guest Access
79/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Guest Reports
Drill Down Guest Detail
Guest Activity Reporting - PI
7/22/2019 Wireless Guest Access
80/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Customized Profile and
Scheduling
Variable Reporting
Periods
7/22/2019 Wireless Guest Access
81/86
Summary
What We Have Covered
7/22/2019 Wireless Guest Access
82/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
What Guest Access Services are made of.
The need for a secured infrastructure to support isolated Gue
Unified Wireless is a key component of this infrastructure.
The Guest Service components are integrated in Cisco Wired
Solution.
Securing FlexConnect is simple to understand and configure
Guest Access is one of the User Access Policy available to C
Protect enterprise Borderless Network
Cisco TrustSec enhances Guest Services overall.
BRKEWN-2013Recommended Reading
7/22/2019 Wireless Guest Access
83/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Call to Action
7/22/2019 Wireless Guest Access
84/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
Visitthe Cisco Campus at the World of Solutionsto experience Cisco innovations in action
Gethands-on experience attending one of the Walk-in Labs
Schedule face to face meeting with one of Ciscos enginee
at the Meet the Engineer center
Discussyour projects challenges at the Technical Solution
7/22/2019 Wireless Guest Access
85/86
2013 Cisco and/or its affiliates. All rights reserved.BRKEWN-2013 Cisco Public
7/22/2019 Wireless Guest Access
86/86