Deploying WirelessGuest Access and BYOD

Scott Lee-Guard, Systems Engineer, Enterprise Networks

• Overview of Guest Access

• Guest Access Control & Path Isolation

• High Availability for Guest Access

• Sleeping Clients

• Guest Services Portals

• Local Web Auth (LWA) vs External Web Auth (EWA)

• WLC, ISE Guest, CMX Connect

• Guest User Provisioning

• Monitoring & Reporting

Agenda

Overview:Guest Access

How do we define Guest Access?

• Is it via a WiFi Hotspot?

• Does it require login?

• With a username andpassword?

• Is it Self Registration?

Or Corporate Access?

Or just a 'Secret Code"?

Or via a Social Media?

Or is access sponsored by an employee?

The answer is YES

• Are you required to agree to an Acceptable Use Policy (AUP)?

Flashback: Wireless Access at CiscoLive! 2015

Flashback #2: 5:00am yesterday morning…

Requirements for Secure Guest Access

• No access until authorised

• Guest traffic should be segregated from the internal network

• Web-based authentication

• Bandwidth and QoS management

• Overlay onto existing enterprise network

• No device reconfiguration, no client software required “Plug & Play”

• Easy administration by non-IT staff

• Splash screens and web content can differ by location

• “Guest network” must be free or cost-effective and non-disruptive

• Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP)

• Logging & Monitoring: Auditing of location, MAC, IP address, username

Technical

Usability

Monitoring

Why Web Authentication?

• 802.1X

• Certificates, AD credentials

• Good for managed devices and known users

• MAC Authentication Bypass (MAB)

• Managed devices with NO 802.1X capability or user input

• WPA2 PSK

• No individual identity, easily well-known/no rotating keys

• Web Authentication

• Supplementary authentication method vs OPEN network

• Unmanaged devices

• Allows web redirect (AUP/Legal)

802.1X

Guest

Employee

Cisco Unified Access Architecture

Employee Guest

Access Points

Access Switch

Distribution Switch

Prime Infrastructure

Mobility Controller

Identity Services Engine

Mobility Services Engine

Wireless Guest Access Control & Path Isolation

End-to-End Guest Traffic Isolation

• The Fact:

• Traffic isolation achieved via CAPWAP tunnel from the AP to the WLAN Controller

• The Challenge:

• How to provide end-to-end wireless guest traffic isolation?

• Allowing internet access but preventing any other communications

• Why We Need it for Guest Access:

• Extend traffic logical isolation end-to-end over L3 network domain

• Separate and differentiate the guest traffic from the corporate traffic

• Securely transport the guest traffic to DMZ

Guest Traffic Isolation – Build Another Tunnel

• First hop AP to WLC still via a CAPWAP tunnel

• Tunnel Guest traffic to an Anchor WLC in the DMZ

• This "first stop" WLC is now called the Foreign WLC

Guest

Employee

Foreign WLC Anchor WLC

WLC

DMZCorporate Network

Centralised Guest Anchor Controller (GA)

• Wireless Guests assigned IP address in DMZ

• Point of Presence “POP”

• Simple aggregation to DMZ

• Leverage Firewall and Web Filtering

• Use of up to 71 Anchor tunnels

• WebAuth controls at Guest Anchor

• Security controls

• Pre-Auth ACL, AAA override, QoS, AVC, Session-Timeout, etc

Guest Path Isolation – Building the Tunnel

1. Specify a mobility group for each WLC

2. Open ports for:

i. Inter-Controller Tunneled Client Data

ii. Inter-Controller Control Traffic

iii. EoIP/CAPWAP tunnel protocol

iv. Other ports as required

3. Configure the mobility groups and add the MAC-address and IP address of the foreign WLC

4. Check the status of the Mobility Anchors for the WLAN

5. Create Guest VLAN on Anchor controller(s)

6. Configure identical WLANs on the Foreign and Anchor controllers

7. Configure the Mobility Anchor for the Guest WLAN

Guest Path Isolation – Ports and Protocols

• Open in both directions for:

• Optional management / operational protocols:

Description IP/TCP/UDP Open

EoIP packets (Classic Mobility Anchor) IP Protocol 97 MUST be open

Mobility Control & New Mobility Data UDP 16666 MUST be open

Inter-Controller CAPWAP Data/Control Traffic UDP 5247/5246 Do NOT open

SSH/Telnet TCP 22, 23 HTTP/HTTPS TCP 80, 443

TFTP UDP 69 Syslog UDP/TCP 514

NTP UDP 123 RADIUS Auth UDP 1812

SNMP UDP 161, 162 RADIUS Acct UDP 1813

Creating the Tunnel – Mobility Groups

• Anchor and Foreign WLCs are configured in different Mobility Groups

Creating the Tunnel – Anchor to Foreign

• Add foreign WLCs using MAC and IP address

• Anchor

• Foreign

Guest Path Isolation – Anchor VLAN

• Configure Guest VLAN on the Anchor WLC:

Tunnel the WLAN – Mobility Anchor on Anchor

• Configure the mobility anchor for the guest WLAN on Anchor WLCs:

Select local On Anchor WLC

Tunnel the WLAN – Mobility Anchor on Foreign

• Configure the mobility anchor for the guest WLAN on Foreign WLCs:

Select Anchor IPOn Foreign WLC

Guest Access High Availability

Guest Anchor Redundancy

Pre AireOS 8.1

• Add a second Anchor Controller in any DMZ

• A Foreign controller load balances guest clients across the list of Anchor controllers configured on the WLAN

• Guest clients are load balanced in round robin fashion amongst anchor controllers

• If an anchor fails, guest clients will be load balanced amongst remaining anchor controllers

Guest Anchor High Availability with SSO

• Add a second Anchor Controller in the same DMZ

• True Box to Box High Availability

• One WLC in Active state and second WLC in Hot Standby state

• Secondary continuously monitors the health of Active WLC

• Configuration on Active synched to Standby

• AP CAPWAP State (7.3+) and active Client State (7.5+) synchronised

• Full Stateful Switch Over (SSO) from Active to Standby

• A Foreign controller only sees a single Anchor controller

Guest Anchor Redundancy with Priority

AireOS 8.1 onwards

• Add a second Anchor Controller in any DMZ

• A Foreign controller designates one anchor as Primary with one or more Secondary anchors

• Guest clients will be tunneled to anchor with highest priority

• If an anchor fails, guest clients will be sent to anchor with next highest priority

• Round robin if remaining anchors have same priority

• Multiple anchors not needed in each location for redundancy

Mobility Anchor Priority on Foreign

• Edit the mobility anchor for the guest WLAN on Foreign WLCs:

Select Priority 1,2,3On Foreign WLC

Sleeping ClientsThe Re-Authentication

Issue

Sleeping Guest Clients

What's the Problem?

• Client devices connected to web-auth enabled WLANs have to enter login credentials every time the client goes to sleep and wakes up

• NOT just Guests

The Solution (7.5 and above)

• When user-idle timeout exceeded, client entry is moved to Sleeping Client DB

• Configurable per-WLAN, up to 30 days / 720 hours

• Client re-connecting within Sleeping Timer does not need to re-enter credentials

• Cached information is passed as client roams

• Even when waking up in another AP cell (same WLAN, same mobility group)

Sleeping Client Configuration• Configured from the Layer 3 Security section of the WLAN:

Sleeping Client Verification• Client information visible in GUI:

Sleeping Clients with ISE

• Device/user logs in to hotspot or credentialed portal

• MAC automatically registered into GuestEndpoint group:

• AuthZ policy grants immediate access until device purged

Guest Services PortalLocal Web Auth vs. External Web Auth

Local Web Auth (LWA) or External Web Auth (EWA)

Mode Web Authentication Type Local or External

1 Internal (Default) Local Web Auth (LWA)

2 Customised (Customised Downloaded) Local Web Auth (LWA)

3 Internal (1) or Customised (2) using ISE for

RADIUS AuthenticationLocal Web Auth (LWA)

4 External (Re-directed to external server) External Web Auth (EWA)

• Wireless & Wired Guest Web Authentication Portal is available in 4 modes:

LWA Internal Guest Services Portal

• Internal (Default) Web Portal

• URL re-direct after login

• or leave blank

• Customise options for:

• Page Headline

• Splash page message

• Show/hide Cisco Logo

LWA Customised Guest Services Portal

• Create your own Guest Access Portal web pages

• Upload the customised web page to the WLC

• Configure the WLC to use “Customised (Downloaded) web portal”

• Customised WebAuth bundle up to 5 Mb in size can contain:

• 22 login pages • 16 WLANs

• 5 Wired LANs

• 1 Global

• 22 login failure pages

• 22 login successful pages

EWA Guest Services Portal

• External (Redirect to external server)

• Pre-Authentication ACL

• Optional:

• Override WebAuth type at Guest WLAN level

ISE Guest Portals(External Web Auth)

ISE 2.0 Portal Creation for Guest and BYOD

• Set up a Guest or BYOD workflow in just a few clicks.

ISE 2.0 Portal Customisation for Guest and BYOD

Portal Control Options

Access code, AUP, BYOD,

Self Registration, Device

Registration, Required

Fields and more

Workflow Visibility

ISE updates the portal

workflow in real-time with

each change.

ISE 2.0 Guest Portal

ISE 2.0 Guest Portal – Self Registration

CMX Connect for Guest Access

Cisco Connected Mobile Experiences (CMX)

Presence Location Social

• Presence and location detection

• Visibility (Wi-Fi, BLE)

DETECT

• Easy Wi-Fi login, custom or social

• Zone-based, custom splash

pages

CONNECT

ANALYTICS

• App-based mobile engagement

• Context-aware in-venue

experiences

ENGAGE

Guest Access with CMX Connect

• Simplify Access with User Opt-In

• Offer Clear Terms and Conditions

• Multiple Access Methods

• Custom or Social Media

• Customised Access

• Proximity-Based Landing Pages and Promotion Alerts (Coupons)

• Understand Who Is in Your Location

• Enhanced Analytics

Facebook Wi-Fi: Access Demographic DataData is aggregated for trend analysis. Marketing team with Facebook Ads Budget could use this for higher ROI advertising budget usage.

Facebook Wi-Fi Configuration

• Import map from CPI

• Use MSE GUI to assign FB Page

• Configure WLAN to redirect to MSE

Guest Services Provisioning

Guest Provisioning Requirements

• Might be performed by non-IT user (Lobby Ambassador)

• Must deliver basic features, but might also require advanced features:

• Duration,

• Start/End Time,

• Bulk provisioning

• Reporting

• Provisioning Strategies :

• Lobby Ambassador

• Employees

Guest Provisioning ChoicesCisco Guest Access Solution supports a range of provisioning tools

Prime

Infrastructure

Mobility Controller

Identity Services

Engine

Custom Server

Basic

Provisioning

Advanced

Provisioning

Dedicated

Provisioning

Customised

Provisioning

CMX Connect

Social Login

Guest ProvisioningWireless LAN Controller

Guest Provisioning – Local WLC

• Lobby Ambassador accounts can be created directly on Wireless LAN Controllers

• Lobby Ambassadors have limited guest features and must create the user directly on WLC:

• Create Guest User – up to 2048 entries

• Set time limitation – up to 35 weeks

• Set Guest SSID

• Set QoS Profile

• Cisco Wireless LAN Controller (AireOS)

Guest Provisioning – Lobby Admin on WLC

• Lobby Administrator can be created in directly on Wireless LAN Controller (WLC)

Guest Provisioning – Local WLC

Guest ProvisioningPrime Infrastructure

Guest Provisioning – Prime Infrastructure

• CPI offers specific Lobby Ambassador access for Guest management only

• Lobby Ambassador accounts can be created:

• Directly on CPI

• Defined on external RADIUS/TACACS+ servers

• Lobby Ambassadors on CPI are able to create guest accounts with advanced features like:

• Start/End time and date, duration

• Bulk provisioning

• Set QoS Profiles

• Set access based on WLC, Access Points or Location

Guest Provisioning – Lobby Admin in Prime

• Create the Reception User ID and assign to "Lobby Ambassador" group

Guest Provisioning – Lobby Admin in Prime

• Associate the lobby admin with Profile and Location specific information

• Customise text and logo details

Guest Provisioning – Prime Infrastructure

Guest Provisioning – Prime Infrastructure

Bulk Guest Provisioning – Prime Infrastructure

Guest Provisioning – Print/Email Guest Details

Guest ProvisioningIdentity Services Engine

ISE Sponsor Portal

• Customisable Web Portal for Sponsors as well

• Authenticate Sponsors with corporate credentials:

• Local Database

• Active Directory

• LDAP

• RADIUS

• Kerberos

ISE 2.0 Sponsor Portal – Create Guest

ISE 2.0 Sponsor Portal – Guest Notification

ISE 2.0 Sponsor Portal – Manage Guests

ISE 2.0 Sponsor Portal – Manage Guests (detail)

Guest Monitoring & Reporting

Guest Monitoring – Prime Infrastructure

• Monitor > Monitoring Tools > Clients and Users window will show all Authentications including Guests

Guest Monitoring Detail – Prime Infrastructure

Guest Activity Reporting – Prime Infrastructure

Guest Monitoring - ISE

• Operations > RADIUS Live Log window will show all Authentications including Guests

• Identity and Authorisation can be found for Guests

Guest Activity Reporting - ISE

Summary

Wireless Guest – Key Takeaways

• Web Authentication is a supplementary authentication method

• Guest traffic isolation is provided via tunnels between Anchor and Foreign

• High Availability is achieved via Anchor Priority, SSO or both

• Sleeping Clients are no problem!

• Guest Portals can be managed:

• Locally via WLC

• Externally via ISE or CMX

• Guest users can be provisioned via WLC, CPI or ISE

• Guest activity can be monitored and reported via CPI or ISE

Q & A

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference

for full access to session videos and

presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt by completing the

Overall Event Survey and 5 Session

Evaluations.– Directly from your mobile device on the Cisco Live

Mobile App

– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

Thank you