deploying wireless -...
TRANSCRIPT
Deploying WirelessGuest Access and BYOD
Scott Lee-Guard, Systems Engineer, Enterprise Networks
• Overview of Guest Access
• Guest Access Control & Path Isolation
• High Availability for Guest Access
• Sleeping Clients
• Guest Services Portals
• Local Web Auth (LWA) vs External Web Auth (EWA)
• WLC, ISE Guest, CMX Connect
• Guest User Provisioning
• Monitoring & Reporting
Agenda
Overview:Guest Access
How do we define Guest Access?
• Is it via a WiFi Hotspot?
• Does it require login?
• With a username andpassword?
• Is it Self Registration?
Or Corporate Access?
Or just a 'Secret Code"?
Or via a Social Media?
Or is access sponsored by an employee?
The answer is YES
• Are you required to agree to an Acceptable Use Policy (AUP)?
Flashback: Wireless Access at CiscoLive! 2015
Flashback #2: 5:00am yesterday morning…
Requirements for Secure Guest Access
• No access until authorised
• Guest traffic should be segregated from the internal network
• Web-based authentication
• Bandwidth and QoS management
• Overlay onto existing enterprise network
• No device reconfiguration, no client software required “Plug & Play”
• Easy administration by non-IT staff
• Splash screens and web content can differ by location
• “Guest network” must be free or cost-effective and non-disruptive
• Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP)
• Logging & Monitoring: Auditing of location, MAC, IP address, username
Technical
Usability
Monitoring
Why Web Authentication?
• 802.1X
• Certificates, AD credentials
• Good for managed devices and known users
• MAC Authentication Bypass (MAB)
• Managed devices with NO 802.1X capability or user input
• WPA2 PSK
• No individual identity, easily well-known/no rotating keys
• Web Authentication
• Supplementary authentication method vs OPEN network
• Unmanaged devices
• Allows web redirect (AUP/Legal)
802.1X
Guest
Employee
Cisco Unified Access Architecture
Employee Guest
Access Points
Access Switch
Distribution Switch
Prime Infrastructure
Mobility Controller
Identity Services Engine
Mobility Services Engine
Wireless Guest Access Control & Path Isolation
End-to-End Guest Traffic Isolation
• The Fact:
• Traffic isolation achieved via CAPWAP tunnel from the AP to the WLAN Controller
• The Challenge:
• How to provide end-to-end wireless guest traffic isolation?
• Allowing internet access but preventing any other communications
• Why We Need it for Guest Access:
• Extend traffic logical isolation end-to-end over L3 network domain
• Separate and differentiate the guest traffic from the corporate traffic
• Securely transport the guest traffic to DMZ
Guest Traffic Isolation – Build Another Tunnel
• First hop AP to WLC still via a CAPWAP tunnel
• Tunnel Guest traffic to an Anchor WLC in the DMZ
• This "first stop" WLC is now called the Foreign WLC
Guest
Employee
Foreign WLC Anchor WLC
WLC
DMZCorporate Network
Centralised Guest Anchor Controller (GA)
• Wireless Guests assigned IP address in DMZ
• Point of Presence “POP”
• Simple aggregation to DMZ
• Leverage Firewall and Web Filtering
• Use of up to 71 Anchor tunnels
• WebAuth controls at Guest Anchor
• Security controls
• Pre-Auth ACL, AAA override, QoS, AVC, Session-Timeout, etc
Guest Path Isolation – Building the Tunnel
1. Specify a mobility group for each WLC
2. Open ports for:
i. Inter-Controller Tunneled Client Data
ii. Inter-Controller Control Traffic
iii. EoIP/CAPWAP tunnel protocol
iv. Other ports as required
3. Configure the mobility groups and add the MAC-address and IP address of the foreign WLC
4. Check the status of the Mobility Anchors for the WLAN
5. Create Guest VLAN on Anchor controller(s)
6. Configure identical WLANs on the Foreign and Anchor controllers
7. Configure the Mobility Anchor for the Guest WLAN
Guest Path Isolation – Ports and Protocols
• Open in both directions for:
• Optional management / operational protocols:
Description IP/TCP/UDP Open
EoIP packets (Classic Mobility Anchor) IP Protocol 97 MUST be open
Mobility Control & New Mobility Data UDP 16666 MUST be open
Inter-Controller CAPWAP Data/Control Traffic UDP 5247/5246 Do NOT open
SSH/Telnet TCP 22, 23 HTTP/HTTPS TCP 80, 443
TFTP UDP 69 Syslog UDP/TCP 514
NTP UDP 123 RADIUS Auth UDP 1812
SNMP UDP 161, 162 RADIUS Acct UDP 1813
Creating the Tunnel – Mobility Groups
• Anchor and Foreign WLCs are configured in different Mobility Groups
Creating the Tunnel – Anchor to Foreign
• Add foreign WLCs using MAC and IP address
• Anchor
• Foreign
Guest Path Isolation – Anchor VLAN
• Configure Guest VLAN on the Anchor WLC:
Tunnel the WLAN – Mobility Anchor on Anchor
• Configure the mobility anchor for the guest WLAN on Anchor WLCs:
Select local On Anchor WLC
Tunnel the WLAN – Mobility Anchor on Foreign
• Configure the mobility anchor for the guest WLAN on Foreign WLCs:
Select Anchor IPOn Foreign WLC
Guest Access High Availability
Guest Anchor Redundancy
Pre AireOS 8.1
• Add a second Anchor Controller in any DMZ
• A Foreign controller load balances guest clients across the list of Anchor controllers configured on the WLAN
• Guest clients are load balanced in round robin fashion amongst anchor controllers
• If an anchor fails, guest clients will be load balanced amongst remaining anchor controllers
Guest Anchor High Availability with SSO
• Add a second Anchor Controller in the same DMZ
• True Box to Box High Availability
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC
• Configuration on Active synched to Standby
• AP CAPWAP State (7.3+) and active Client State (7.5+) synchronised
• Full Stateful Switch Over (SSO) from Active to Standby
• A Foreign controller only sees a single Anchor controller
Guest Anchor Redundancy with Priority
AireOS 8.1 onwards
• Add a second Anchor Controller in any DMZ
• A Foreign controller designates one anchor as Primary with one or more Secondary anchors
• Guest clients will be tunneled to anchor with highest priority
• If an anchor fails, guest clients will be sent to anchor with next highest priority
• Round robin if remaining anchors have same priority
• Multiple anchors not needed in each location for redundancy
Mobility Anchor Priority on Foreign
• Edit the mobility anchor for the guest WLAN on Foreign WLCs:
Select Priority 1,2,3On Foreign WLC
Sleeping ClientsThe Re-Authentication
Issue
Sleeping Guest Clients
What's the Problem?
• Client devices connected to web-auth enabled WLANs have to enter login credentials every time the client goes to sleep and wakes up
• NOT just Guests
The Solution (7.5 and above)
• When user-idle timeout exceeded, client entry is moved to Sleeping Client DB
• Configurable per-WLAN, up to 30 days / 720 hours
• Client re-connecting within Sleeping Timer does not need to re-enter credentials
• Cached information is passed as client roams
• Even when waking up in another AP cell (same WLAN, same mobility group)
Sleeping Client Configuration• Configured from the Layer 3 Security section of the WLAN:
Sleeping Client Verification• Client information visible in GUI:
Sleeping Clients with ISE
• Device/user logs in to hotspot or credentialed portal
• MAC automatically registered into GuestEndpoint group:
• AuthZ policy grants immediate access until device purged
Guest Services PortalLocal Web Auth vs. External Web Auth
Local Web Auth (LWA) or External Web Auth (EWA)
Mode Web Authentication Type Local or External
1 Internal (Default) Local Web Auth (LWA)
2 Customised (Customised Downloaded) Local Web Auth (LWA)
3 Internal (1) or Customised (2) using ISE for
RADIUS AuthenticationLocal Web Auth (LWA)
4 External (Re-directed to external server) External Web Auth (EWA)
• Wireless & Wired Guest Web Authentication Portal is available in 4 modes:
LWA Internal Guest Services Portal
• Internal (Default) Web Portal
• URL re-direct after login
• or leave blank
• Customise options for:
• Page Headline
• Splash page message
• Show/hide Cisco Logo
LWA Customised Guest Services Portal
• Create your own Guest Access Portal web pages
• Upload the customised web page to the WLC
• Configure the WLC to use “Customised (Downloaded) web portal”
• Customised WebAuth bundle up to 5 Mb in size can contain:
• 22 login pages • 16 WLANs
• 5 Wired LANs
• 1 Global
• 22 login failure pages
• 22 login successful pages
EWA Guest Services Portal
• External (Redirect to external server)
• Pre-Authentication ACL
• Optional:
• Override WebAuth type at Guest WLAN level
ISE Guest Portals(External Web Auth)
ISE 2.0 Portal Creation for Guest and BYOD
• Set up a Guest or BYOD workflow in just a few clicks.
ISE 2.0 Portal Customisation for Guest and BYOD
Portal Control Options
Access code, AUP, BYOD,
Self Registration, Device
Registration, Required
Fields and more
Workflow Visibility
ISE updates the portal
workflow in real-time with
each change.
ISE 2.0 Guest Portal
ISE 2.0 Guest Portal – Self Registration
CMX Connect for Guest Access
Cisco Connected Mobile Experiences (CMX)
Presence Location Social
• Presence and location detection
• Visibility (Wi-Fi, BLE)
DETECT
• Easy Wi-Fi login, custom or social
• Zone-based, custom splash
pages
CONNECT
ANALYTICS
• App-based mobile engagement
• Context-aware in-venue
experiences
ENGAGE
Guest Access with CMX Connect
• Simplify Access with User Opt-In
• Offer Clear Terms and Conditions
• Multiple Access Methods
• Custom or Social Media
• Customised Access
• Proximity-Based Landing Pages and Promotion Alerts (Coupons)
• Understand Who Is in Your Location
• Enhanced Analytics
Facebook Wi-Fi: Access Demographic DataData is aggregated for trend analysis. Marketing team with Facebook Ads Budget could use this for higher ROI advertising budget usage.
Facebook Wi-Fi Configuration
• Import map from CPI
• Use MSE GUI to assign FB Page
• Configure WLAN to redirect to MSE
Guest Services Provisioning
Guest Provisioning Requirements
• Might be performed by non-IT user (Lobby Ambassador)
• Must deliver basic features, but might also require advanced features:
• Duration,
• Start/End Time,
• Bulk provisioning
• Reporting
• Provisioning Strategies :
• Lobby Ambassador
• Employees
Guest Provisioning ChoicesCisco Guest Access Solution supports a range of provisioning tools
Prime
Infrastructure
Mobility Controller
Identity Services
Engine
Custom Server
Basic
Provisioning
Advanced
Provisioning
Dedicated
Provisioning
Customised
Provisioning
CMX Connect
Social Login
Guest ProvisioningWireless LAN Controller
Guest Provisioning – Local WLC
• Lobby Ambassador accounts can be created directly on Wireless LAN Controllers
• Lobby Ambassadors have limited guest features and must create the user directly on WLC:
• Create Guest User – up to 2048 entries
• Set time limitation – up to 35 weeks
• Set Guest SSID
• Set QoS Profile
• Cisco Wireless LAN Controller (AireOS)
Guest Provisioning – Lobby Admin on WLC
• Lobby Administrator can be created in directly on Wireless LAN Controller (WLC)
Guest Provisioning – Local WLC
Guest ProvisioningPrime Infrastructure
Guest Provisioning – Prime Infrastructure
• CPI offers specific Lobby Ambassador access for Guest management only
• Lobby Ambassador accounts can be created:
• Directly on CPI
• Defined on external RADIUS/TACACS+ servers
• Lobby Ambassadors on CPI are able to create guest accounts with advanced features like:
• Start/End time and date, duration
• Bulk provisioning
• Set QoS Profiles
• Set access based on WLC, Access Points or Location
Guest Provisioning – Lobby Admin in Prime
• Create the Reception User ID and assign to "Lobby Ambassador" group
Guest Provisioning – Lobby Admin in Prime
• Associate the lobby admin with Profile and Location specific information
• Customise text and logo details
Guest Provisioning – Prime Infrastructure
Guest Provisioning – Prime Infrastructure
Bulk Guest Provisioning – Prime Infrastructure
Guest Provisioning – Print/Email Guest Details
Guest ProvisioningIdentity Services Engine
ISE Sponsor Portal
• Customisable Web Portal for Sponsors as well
• Authenticate Sponsors with corporate credentials:
• Local Database
• Active Directory
• LDAP
• RADIUS
• Kerberos
ISE 2.0 Sponsor Portal – Create Guest
ISE 2.0 Sponsor Portal – Guest Notification
ISE 2.0 Sponsor Portal – Manage Guests
ISE 2.0 Sponsor Portal – Manage Guests (detail)
Guest Monitoring & Reporting
Guest Monitoring – Prime Infrastructure
• Monitor > Monitoring Tools > Clients and Users window will show all Authentications including Guests
Guest Monitoring Detail – Prime Infrastructure
Guest Activity Reporting – Prime Infrastructure
Guest Monitoring - ISE
• Operations > RADIUS Live Log window will show all Authentications including Guests
• Identity and Authorisation can be found for Guests
Guest Activity Reporting - ISE
Summary
Wireless Guest – Key Takeaways
• Web Authentication is a supplementary authentication method
• Guest traffic isolation is provided via tunnels between Anchor and Foreign
• High Availability is achieved via Anchor Priority, SSO or both
• Sleeping Clients are no problem!
• Guest Portals can be managed:
• Locally via WLC
• Externally via ISE or CMX
• Guest users can be provisioned via WLC, CPI or ISE
• Guest activity can be monitored and reported via CPI or ISE
Q & A
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected Friday 11 March
at Registration
Thank you