Brkewn 2016 2

Designing Unified Guest Access,
Wired and Wireless
BRKEWN-2016
Housekeeping
 We value your feedback—don't forget to complete

your online session evaluations after each session
and complete the Overall Conference Evaluation
which will be available online from Thursday
 Visit the World of Solutions
 Please remember this is a ‘non-smoking’ venue!
 Please switch off your mobile phones
 Please make use of the recycling bins provided
 Please remember to wear your badge at all times
BRKEWN-2016_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
 Overview: Guest Access as a Supplementary

User Authentication
 Wireless Guest Access Control and Path Isolation
 Wired Guest Access Control and Path Isolation
 Guest Authentication Portal
 Guest Provisioning
 Monitoring and Reporting
Guest Access Overview
Evolution to a Supplementary User Authentication
Borderless Network Context
Remote
Site
Unknown or Guest
Partners Data Center
Si WAN
Employees
Wireless LAN
Several Access
Contractors Methods, Numerous
Profiles
Consultant Corporate LAN Si
Enterprise
Network
DMZ
Public
Internet
Business
Partners
Guest Access Components
Centralized Web Sponsored

Customizable
Page Management Guest Credentials
Login Page
802.1X/MAB
Compatibility Flexible
Guest Access Policies
NAC Guest Server
Parity for ACS 5.1

Wired / WLAN Centralized Accounting
Employee Enterprise Directory

Existing Credential Stores
Integrated Access Authentication

When to Use Web-Authentication?
802.1X MAB Web Auth
Managed 802.1X-devices (mac-address bypass) Users without 802.1X devices
SSC Known users Managed devices Users with Bad credentials
SSC
Employee
Employee
(bad credential)
802.1X
Guest
WiFi AP
 Web Auth is a supplementary authentication method

Most useful when users can’t perform or pass 802.1X
 Primary Use Case: Guest Access

Secondary Use Case: Employee who fails 802.1X
Wireless Guest Access Control
and Path Isolation
Guest Access Control
Cisco WLAN Controller Deployments
WiSM WLAN Controller
 LWAPP/CAPWAP tunnel is a Layer 2 tunnel
(encapsulates original Ethernet frame) Wireless
VLANs
 Same LWAPP/CAPWAP tunnel used for
data traffic of different SSIDs
 Control and data traffic tunneled
to the controller via CAPWAP:
data uses UDP 5247 Campus
control uses UDP 5246 LWAPP/CAPWAP
Core LWAPP/CAPWAP
 Data traffic bridged by WLAN controller
on a unique VLAN corresponding to
each SSID
 Traffic isolation provided by VLANs is
valid up to the switch where the controller
is connected
CAPWAP—Control And Provisioning

of Wireless Access Points
BRKEWN-2016_c1 © 2010 Cisco and/or its affiliates. All rights reserved.
Guest Emp
Cisco Public
Guest Emp10
Path Isolation
WLAN Controller Deployments with EoIP Tunnel
 Use of up to 71 EoIP tunnels to logically segment Internet

and transport the guest traffic between remote and
anchor controllers DMZ or Anchor
Wireless Controller
 Other traffic (employee for example) still locally
bridged at the remote controller on the
Cisco ASA
corresponding VLAN Firewall
 No need to define the guest VLANs
on the switches connected to the EoIP
remote controllers “Guest Tunnel”
 Original guest’s Ethernet frame maintained Wireless LAN

across LWAPP/CAPWAP and EoIP tunnels Controller
 Redundant EoIP tunnels to the
Anchor WLC LWAPP/CAPWAP
 2100 series and WLCM models can not

terminate EoIP connections (no anchor role)
or support IPSec Encrypted Tunnels on the
remote WLC
Guest Guest
Guest Path Isolation
Firewall Ports and Protocols
 Open ports in both directions for:
EoIP packets IP protocol 97 Must
Mobility UDP Port 16666 (non-secured) or 16667 (secured IPSec tunnel) be Open!
Inter-Controller CAPWAP (rel 5.0, 6.0, 7.0) Data/Control Traffic UDP 5247/5246
Do NOT
Inter-Controller LWAPP (before rel 5.0 ) Data/Control Traffic UDP 12222/12223 Open!
 Optional management/operational protocols:

SSH/Telnet TCP Port 22/23
TFTP UDP Port 69
NTP UDP Port 123
SNMP UDP Ports 161 (gets and sets) and 162 (traps)
HTTPS/HTTP TCP Port 443/80
Syslog TCP Port 514
RADIUS Auth/Account UDP Port 1812 and 1813
Guest Path Isolation Using VRF
Campus Virtualization
 Virtual Routing/Forwarding (VRF) is the L3
virtualization used in Enterprise Campus networks
 Guest isolation is done by dedicated VRF instances
802.1q, GRE, LSP, 802.1q or Others

Physical Int, Others
Guest VRF
Employee VRF
Global
Logical or Logical or
Physical Int Physical Int
(Layer 3) (Layer 3)
Guest Path Isolation Using VRF
WLC and VRF Virtualization
Guest Provisioning
Internet
 CAPWAP path isolation Outside
Cisco ASA
at access layer Corporate
Inside Firewall
Intranet
 L2 path isolation
Guest DMZ
Guest VRF
between WLC and
default gateway Isolated L2 VLAN L3 Switches with VRF
 L3 VRF isolation from Corporate

Access Layer
WLC to firewall guest Wireless LAN
Controller
DMZ interface
CAPWAP
Guest VRF
Employee VRF
Wireless Guest
Global
Wired Guest Access Control
and Path Isolation
Wired Guest Access
 Wired Guest Access Enforcement Point can be

delivered in two different locations :
 Web Authentication on Catalyst Switches
 Wired Guest Access Feature on Wireless LAN
Controllers Wired Guest
Enforcement Point
L3 Path Isolation
Wired Guest Catalyst Web Auth
802.1x @
Guest VLAN Failover WLC Wired
Guest Access
Open (guest) VLAN
L2 Path Isolation
Wired (Guest) Access Basic Operation
DHCP/DNS AAA Server
•Multiple Triggers Switch
•Single Port Config
•Mostly Flex-auth
•802.1X Timeout
1 •802.1X Failure
•MAB Failure
•Access VLAN only
Port Enabled, •Pre-Auth ACL must permit DHCP, DNS
2
Pre-Auth ACL Applied •ACL applies to port -> phones must use MDA
Host Acquires IP Address, Triggers Session State

3 DHCP, ARP trigger State
Host Opens Browser

Login Page •IP HTTP (Secure-)Server Enabled
4 •User May be Prompted for Cert Trust Use Web Auth AAA
Host Sends Password Fail Policy for AAA
outages
Switch Queries AAA Server Server

authorizes
5 AAA Server Returns Policy user
6 Switch Applies New ACL Policy

BRKEWN-2016_c1 © 2010 Cisco and/or its affiliates. All rights reserved. VLAN assignment not supported
Cisco Public 18
Wired Guest L3 Path Isolation with VRF
 Access using Guest Provisioning

Internet
VLAN Isolation
Outside
 Web Authentication by Corporate

Inside
Cisco ASA
Firewall
Catalyst switches Intranet Guest DMZ
 Wired Guest Isolation

Guest VRF
with VRF for L3 Isolation L3 Switches with VRF

Isolated L2 VLAN
Corporate
Access Layer
Wired Guest
Guest VRF
Employee VRF
Global
WLC Wired Guest Access
Wired Guest Access by Wireless LAN Controllers
Internet
 Wired Guest ports provided in DMZ or Anchor

Wireless LAN
designated location and plugged Controller
into an Access Switch Cisco ASA
Firewall
 The configuration on the Access
EoIP Tunnel
switch puts these ports into wired
guest – layer 2 VLAN
Wireless LAN
 On a single WLAN Controller Controller
the Guest VLAN will be trunked Isolated L2 VLAN

Corporate
into WLC Intranet
 On a multi controller deployment

with Auto Anchor mode the guest
VLAN will trunk into the Foreign
controller and then tunneled into
DMZ Anchor controller Wired Guest Wireless Guest
Deployment Requirements
 Five guest LANs for wired guest access are supported
 Admin can create wired guest VLANs on the WLC and
associate it with the guest LAN
 Web-auth is the default security on a wired guest LAN, but
open and web pass-thru can also be used
 No L2 security like 802.1x is supported
 Multicast and broadcast traffic are dropped
on wired guest VLANs to reduce the load on the overall
network
 Wired guest access is supported on a single guest WLC or on
a Anchor-Foreign Guest WLC scenario
Architecture Summary
 Wireless is the preferred Guest Access technology

because it provides no physical connectivity to
corporate network
 Wired Guest Access can be delivered by Catalyst
Switches or Wireless LAN Controller
 Anchor Controller in Guest DMZ allow for full Path
Isolation from Access Point to Guest DMZ
 VRF can be used for L3 Guest Isolation
 Cisco ASA Firewall provides Internet access
security and advanced security features for
Guest control
Guest Services Portal
Guest Authentication Portal
 Wireless and Wired Guest Authentication Portal is

available in four modes:
Internal (Default Web Authentication Pages)
Customized (Downloaded Customized Web Pages)
External Using NAC Guest Server
External (Re-directed to external server)
Wireless Guest Authentication Portal
Internal Web Portal
 Wireless guest user

associates to the
guest SSID Welcome Text
 Initiates a browser
connection to any website Fixed Text
 Web login page will displayed

Customizable Web Portal
 Create your own Guest Access Portal web pages
 Upload the customized web page to the WLC
 Configure the WLC to use “customizable web portal”
 Customized WebAuth bundle can contain
22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
22 login failure pages (in WCS 5.0 and up )
22 login successful pages (in WCS 5.0 and up)
Wired Guest Authentication Portal
Catalyst Switches Internal Web Portal
 Wired Auth-Proxy Banner

 Configurable Welcome Text from IOS config
Welcome Text
(config)#ip admission auth-proxy-banner http ^C

Here is what the auth-proxy-banner looks like ^C
Fixed Text
Wired Guest Authentication Portal
Catalyst Switches Customizable Web Portal
 Configurable HTML pages on bootflash:

 4 Pages / 8KB each : login, success, expired, failure
Images must be
embedded or external
4 files, 8KB max each

(config)#ip admission proxy http login expired page file bootflash:expired.html
(config)#ip admission proxy http login page file bootflash:login.html
(config)#ip admission proxy http success page file bootflash:success.html
(config)#ip admission proxy http failure page file bootflash:fail.html
Completely Customizable
Centralized Wireless
and Wired Guest Portal
NAC Guest Server (NGS)
 Multi-function standalone appliance

 Customizable hotspot hosting
 Sponsored guest access provisioning, verification,
management
Wireless Guest
Centralized Login Page
1) Administrator Creates WLAN
Login Page on NGS
2) Wireless Guest Opens Web
browser
3) Web traffic is intercepted by
Wireless LAN Controller and
redirected to Guest Server.
4) Guest Server returns centralized
login page
(3) (1)
(2)
Redirect
AP
WLC (4) NGS
Wired Guest
Looks Exactly the Same As Wireless
1) Administrator Creates Wired Login
Page on NGS
2) Wired guest opens Web browser
3) Web traffic is intercepted by switch
and redirected to Guest Server.
4) Guest Server returns centralized
login page
(3) (1)
(2)
Redirect
(4)
Switch
Authentication and Authorization
Still Local
1) Administrator Creates Wired Login Page on NGS
2) Wired guest opens Web browser
3) Web traffic is intercepted by switch and redirected to Guest Server.
4) Guest Server returns centralized login page
5) Guest submits credentials to switch
6) Switch authenticates credentials & controls access
(1)
(2)
(3)
POST to switch: Switch

(4) NGS
(5) username, pwd (6)
Authentication
Access Control
Guest Services Provisioning
Requirements for Guest Provisioning
 Might be performed by non IT personal

 Must deliver basic features, but might also require
advanced features:
Duration
Start/end time
Bulk provisioning, …
 Provisioning strategies :
Lobby ambassador
Employees
Multiple Guest Provisioning Services
 Cisco Guest Access Solution support several

provisioning tools, with different feature richness
Customer Server
Included in Cisco Wireless LAN Solution Cisco Customized Provisioning
NAC Guest Server
Cisco Dedicated Provisioning

Wireless Control System
Advanced Provisioning
Cisco
Wireless LAN Control Customer
Development
Basic Provisioning
Additional Cisco
Product
Guest Provisioning Service : WLC
Cisco Wireless LAN Controller
 Lobby Ambassador accounts can be created

directly on Wireless LAN Controllers
 Lobby Ambassadors have limited guest feature and
must create the user directly on WLC:
Create Guest User—up to 2048 entries
Set time limitation—up to 30 day
Set Guest SSID
Set QoS Profile
Guest Provisioning Service : WCS
Cisco Wireless Control System
 WCS offer specific Lobby Ambassador
access for Guest management only
 Lobby Ambassador accounts can be created directly
on WCS, or be defined on external
RADIUS/TACACS+ servers
 Lobby Ambassadors on WCS are able to create
guest accounts with advanced features like:
Start/end time and date, duration
Bulk provisioning
Set QoS Profiles
Set access based on WLC, Access Points, or location
Guest Provisioning Service
Add a Guest User with WCS
Print/E-Mail Details of Guest User
Schedule a Guest User
Configure Controller Template > Schedule Guest User
Guest Provisioning Service : NGS
Cisco NAC Guest Server
 Dedicated external server
 Complete provisioning, accounting, reporting,
and billing services
 Advanced feature full sponsor and guest
user policies
 Large guest account base using RADIUS
 Easy integration with clean access and WLC
 Email and SMS notifications
 Sponsor authentication through local database,
LDAP or active directory
IT Admin
NGS Configuration Network/Solution Mgt
Lobby Ambassador
Employee Sponsor
1. IT Administrator configures NGS: 1
 Sponsor or LA access rights

2
 Declare Guest Anchor WLC in NGS
NAC Guest Server
 Configure security/policy rules Lobby Ambassador Portal
Guest Account Database
Monitoring & reporting
2. IT Admin configures WLC Wireless LAN Controller

to use Cisco NGS: Policy Enforcement
Guest Web Portal
 Define Guest SSID

Internet
 Associate NGS as RADIUS Server

Corporate
Network
Guest
Visitor, Contractor, Customer
Admin Interface
 Admin portal is required to configure the device
Sponsor Authentication: Local Account/AD
 The sponsor account can be a local user in

NGS, LDAP server or Active Directory Account
Guest Policy: Username/Password Policy
Username Policy Password Policy
1. E-mail address 1. Alphabetic characters
2. First and last name 2. Numeric characters
3. Alphabetic, numeric 3. Special characters
and special characters
WLC Integration: Guest Server Configuration
 Add the WLC that performs WebAuth as a RADIUS Client in the NGS
 NGS uses standard RADIUS Attribute 27 (session-timeout)
Informing Guest
 Sponsor will have three ways to inform guest
1. Printing the details
2. Sending the details via e-mail
3. Sending the details via SMS
Sponsor Portal: Create and Print Guest Access Credentials
Cisco NAC Guest Server Lobby Ambassador
Guest User Creation Employee Sponsor
1. Sponsor creates Guest Account

1
through dedicated NGS server
2. Credentials are delivered to Guest by NAC Guest Server
Lobby Ambassador Portal
print, email or SMS Guest Account Database
Monitoring & reporting
3. Guest Authentication on Guest portal 5 RADIUS Requests
4. RADIUS Request from WLC to Cisco Wireless LAN Controller

RADIUS Policy Enforcement
NGS Server Accounting 4 Guest Web Portal
2 6
5. RADIUS Response with policies Internet
(session timeout, …)
7
Corporate
6. RADIUS Accounting with session Network
information (time, login, IP, MAC, …)
3
7. Traffic can go through
Guest
Lobby Ambassador—Guest Account Creation
Personal Settings
Several Ways to create Guest Accounts
Tools to Manage Guest Accounts
Reporting and Monitoring
Sponsor Portal: Guest Reports and Logs
Aggregation of Guest Informations
 NGS Aggregate Guest Internet
Reporting Informations DMZ or Anchor

Wireless LAN
Cisco ASA Controller
 From WLC (RADIUS Firewall
Accounting) : login, Syslog
start/stop time, MAC@,

Source IP@ NGS
Guest Server
RADIUS Wireless LAN
Controller
 From ASA (syslog) : Corporate ntp server 192.168.215.62
Intranet
Destination IP@/ports, policy-map global_policy
class inspection_default
inspect http
URL logging, … !
service-policy global_policy global
logging enable
logging timestamp
logging list WebLogging message 304001
logging trap WebLogging
Wireless Guest logging facility 21
logging host inside 192.168.215.16
Guest Activity Reporting
Summary
From Wireless Guest Access …
Sponsored
Guest
Guest Wireless LAN

Controller Wireless Control
System
… to Unified Wired and Wireless
Guest Access …
Sponsored NGS
Guest Guest Server
Parity for
Guest
Wired / WLAN
… to Centralized Policy and Accounting
802.1X/MAB
Employee SSC Compatibility
Employee
Sponsored Centralized Policy
Guest Active Directory
& Accounting
Employee RADIUS
Proxy
Parity for NGS

Guest
Wired / WLAN Guest Server
What We Have Covered…
 What a Guest Access Service is made of

 The need for a secured infrastructure to support
isolated Guest traffic. Unified Wireless is a
key component of this infrastructure.
 The Guest Service components are integrated
in Cisco Wired and Wireless Solution.
 Guest Access is one of the User Access Policy
available to Control and Protect enterprise
Borderless Network
Recommended Reading
BRKEWN-2016
Complete Your Online
Session Evaluation
 Give us your feedback and you

could win fabulous prizes.
Winners announced daily.
 Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
 Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal)
or visit one of the Internet Don’t forget to activate your
stations throughout the Cisco Live and Networkers Virtual
Convention Center. account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.
Enter to Win a 12-Book Library
of Your Choice from Cisco Press
Visit the Cisco Store in the

World of Solutions, where
you will be asked to enter
this Session ID code
Check the Recommended Reading brochure for

suggested products available at the Cisco Store
Additional Slides
Evolution to a Supplementary User Authentication
Challenge in Building an Access Policy
in a Borderless Network
Authorized Access Guest Access Non-User Devices
Access Policy
 Who is on my network?  Can I allow guests  How do I discover
Internet-only access? non-user devices?
 Can I manage the risk
of using personal PCs?  How do I manage  Can I determine what
guest access? they are?
 Common access rights
when on-prem, at  Can this work in  Can I control their
home, on the road? wireless and wired? access?
 Endpoints are healthy?  How do I monitor  Are they being
BRKEWN-2016_c1 © 2010 Cisco and/or its affiliates. All guest activities?
rights reserved. Cisco Public spoofed? 65
Why Web Authentication for Guest?
 User-based
 Familiar
 Ubiquitous
 Clientless
Additional Slides
LWAPP/CAPWAP Controller Configurations
WLAN Controller Deployments
Cisco Catalyst Switch
Access Layer Switch (Connected to WLAN Controller)
vlan 3
vlan 2
name Employee_VLAN
name AP_Mgmt
!
!
vlan 4
interface FastEthernet0/1
name Guest_VLAN
description link to AP
!
switchport access vlan 2
interface Vlan3
switchport mode access
description Employee_VLAN
ip address 10.10.3.1 255.255.255.0
!
No Trunk Between AP and interface Vlan4
description Guest_VLAN
Access Layer Switch, Only ip address 10.10.4.1 255.255.255.0
AP Mgmt VLAN Defined !
interface GigabitEthernet1/0/1
description Trunk Port to Cisco WLC
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
SVIs Corresponding to switchport trunk allowed vlan 2-4
Each SSID Are switchport mode trunk
Defined Here no shutdown
Create the employee and guest VLAN in the controller
Map the employee/guest WLAN in the controller
to the respective employee/guest VLAN
Additional Slides
Building the EoIP Tunnel
Building the EoIP Tunnel
 Specify a mobility group for each WLC
 Open ports for:
Inter-Controller Tunneled Client Data
Inter-Controller Control Traffic
 Configure the mobility groups and add the MAC-address
and IP address of the remote WLC
 Create identical WLANs on the Remote and Anchor controllers
 Create the Mobility Anchor for the Guest WLAN
 Modify the timers in the WLCs
 Check the status of the Mobility Anchors for the WLAN
Pros Cons
 Simple configuration  Support for wireless and wired (layer-
2 adjacent) guest clients only
 Overlay solution: no need to
 Limited to WLAN Controllers wireless
modify the network configuration deployments
Remote Controller Configuration
Each WLC is part of a mobility group
Anchor and Remote Controller Configuration
 Configure the mobility groups and add the MAC-address
and IP address of the remote WLCs
Anchor
Remote
Remote Controller Configuration
 Create the mobility anchor for the guest WLAN on Remote WLCs
Anchor Controller Configuration
 Create the Mobility Anchor for the guest WLAN on Anchor WLC
Path Isolation
Anchor Controller
 Modify the timers on the Anchor WLCs
 Check the status of the mobility anchors for the WLAN
Guest Network Redundancy
A1 A2
Internet
 Using EoIP Pings (data path) Management
10.10.75.2
Management
10.10.76.2
functionality Anchor WLC reachability
will be determined
 Foreign WLC will send pings at
configurable intervals to see if Anchor
WLC is alive EtherIP EtherIP
“Guest “Guest
 Once an Anchor WLC failure is Tunnel” Tunnel”
detected a DEAUTH is send to Campus
the client Core
 Remote WLC will keep on monitoring
the Anchor WLC Secure Secure
 Under normal conditions round-robin F1
fashion is used to balance clients
between Anchor WLCs
Guest VLAN 10.10.60.x/24
CAPWAP Management 10.10.80.3 CAPWAP
Wireless
VLANs
Primary Link
Redundant Link
Guest Secure Guest Secure
Path Isolation
Sample Firewall Configuration
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.50.10.26 255.255.255.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.10.51.1 255.255.255.0
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16666
access-list DMZ extended permit udp host 10.50.10.26 host 10.70.0.2 eq 16667
access-list DMZ extended permit 97 host 10.50.10.26 host 10.70.0.2
global (dmz) 1 interface
nat (inside) 1 10.70.0.0 255.255.255.0
static (inside,dmz) 10.70.0.2 10.70.0.0.2 netmask 255.255.255.255
access-group DMZ in interface dmz
Show Commands
 Show Mobility Summary
Show Commands
Show Mobility Anchor
Show Mobility Statistics
Show Commands—Remote and
Anchor WLC
Show client detail mac_address
Remote
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Anchor
(Cisco Controller) >show client detail 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client MAC Address............................... 00:40:96:ad:0d:1b
Client Username ................................. N/A
Client Username ................................. guest1
AP MAC Address................................... 00:14:1b:59:3f:10 AP MAC Address................................... 00:00:00:00:00:00
Client State..................................... Associated Client State..................................... Associated
Wireless LAN Id.................................. 1

Wireless LAN Id.................................. 2
BSSID............................................ 00:00:00:00:00:01
BSSID............................................ 00:14:1b:59:3f:1f
Channel.......................................... N/A
Channel.......................................... 64
IP Address....................................... 10.50.10.128
IP Address....................................... Unknown
Association Id................................... 0
Association Id................................... 1
Authentication Algorithm......................... Open System

Authentication Algorithm......................... Open System
Reason Code...................................... 0
Reason Code...................................... 0
Status Code...................................... 0
Status Code...................................... 0 Session Timeout.................................. 0
Session Timeout.................................. 0
Mirroring........................................ Disabled
Client CCX version............................... 5

QoS Level........................................ Silver
Mobility State................................... Export Anchor
Client E2E version............................... No E2E support
Mobility Foreign IP Address...................... 10.50.10.26

Mirroring........................................ Disabled
Mobility Move Count.............................. 1

QoS Level........................................ Silver
Security Policy Completed........................ Yes

Mobility State................................... Export Foreign
Policy Manager State............................. RUN
Mobility Anchor IP Address....................... 10.70.0.2
Policy Manager Rule Created...................... Yes
Mobility Move Count.............................. 0 NPU Fast Fast Notified........................... Yes
Security Policy Completed........................ Yes Policy Type...................................... N/A
Policy Manager State............................. RUN

Encryption Cipher................................ None
Management Frame Protection...................... No
Policy Manager Rule Created...................... Yes
EAP Type......................................... Unknown

NPU Fast Fast Notified........................... Yes
Interface........................................ guest
Policy Type...................................... N/A
VLAN............................................. 4
BRKEWN-2016_c1
Encryption Cipher................................ None © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Additional Slides
WLC Wired Guest Configuration
Deployment Steps
 Create a dynamic interface as guest LAN
which will be the ingress interface
 DHCP server information is not required
 DHCP server information is required on the egress dynamic interface
WLC Wired Guest Access Configuration
 Create wired WLAN as “Guest LAN” type
WLC Wired Guest Access Configuration
 Assign the Ingress and Egress Interfaces

 Ingress interface is the wired guest LAN
 Egress interface could be the management or any dynamic interface
WLC Wireless and Wired Guest
Configuration
 Wireless and wired guest WLAN
Additional Slides
Configuring Customized WebAuth with WCS
Internet
WCS
Guest
 Download a sample copy of the Campus
customized WebAuth page from WCS Emp

Core
Emp
 Customize the WebAuth page as per

your requirements CAPWAP
Wireless
VLANs
CAPWAP
Guest Emp Guest Emp

 Upload the newly customized WebAuth
page to the Anchor WLC
Design with Anchor WLC
Internet
WCS
 Upload the customized web page to the Anchor WLC Guest
 Customized WebAuth bundle can contain

22 login pages (16 WLANs , 5 Wired LANs and 1 Global) Campus
Core
22 login failure pages (in WCS 5.0 and up ) Emp Emp
22 login successful pages (in WCS 5.0 and up)

LWAPP LWAPP
Wireless
VLANs
Guest Emp Guest Emp
Additional Slides
Configuring External Web Portal
External Web Server with WLC
Eternal Internet
Web Server WLC
Guest
Campus
Core
Emp Emp
CAWAP CAPWAP
Wireless
VLANs
Guest Emp Guest Emp
Customized Wired Pages
Design Considerations: No Redirect CLI
4503-rk2#show run | i login.html

ip auth-proxy proxy http login page file bootflash:login.html
4503-rk2#more login.html
<html> Customized “Magic”
<head> Login Page
<script type="text/javascript">
location.href="https://10.100.10.227:8443/sites/LWA/switch_login.html?redirect_url="+location.href;
</script>
<noscript>
<meta HTTP-EQUIV="REFRESH" content="0;
url=https://10.100.10.227:8443/sites/LWA/switch_login.html"> Javascript , meta tag
</noscript> or manual redirect
</head>
<body>
Redirecting ... continue <a href="https://10.100.10.227:8443/sites/LWA/switch_login.html">here</a>
</body>
</html>
• File is included in NGS 2.0.2 : /guest/sites/samples/switch_includes

• To re-use this file, change “10.100.10.227” to the IP address of your NGS and “LWA” to the
name of your NGS hotspot for wired
Customized Wired Pages
Switch Config
ip device tracking
ip admission name IP_ADMIN_RULE proxy http
ip admission proxy http login page file disk1:login.htm
Make sure to update the
ip admission proxy http success page file disk1:success.htm “Magic” Login Page with NGS
ip admission proxy http fail page file disk1:fail.htm IP address and hotspot name
ip admission proxy http login expired page file disk1:expired.htm
!
fallback profile WEB_AUTH_PROFILE
ip access-group PRE_WEBAUTH_POLICY in
ip admission IP_ADMIN_RULE
!
dot1x system-auth-control ip access-list extended PRE_WEBAUTH_POLICY
! permit udp any any eq bootps
interface Gigabit 1/0/5 permit udp any any eq domain
switchport mode access permit tcp any host 10.100.10.227 eq 8443
switchport access vlan 30
authentication port-control auto
authentication fallback WEB_AUTH_PROFILE Permit Traffic to NGS
authentication event fail action next-method
dot1x pae-authenticator
dot1x tx-period 5
!
ip http server
ip http secure-server
Everything else is standard Web-Auth
Additional Slides
WCS Lobby Ambassador Configuration
Lobby Ambassador Feature in WCS
 User created in WCS with Lobby Ambassador (LA) privilege
 Lobby Ambassador user logs into
the WCS to create guest user accounts
Lobby Ambassador Feature in WCS
 Associate the lobby admin with Profile and Location specific
information
Details About the Guest User(s)
WCS Provisioning Service Lobby Ambassador
Employee Sponsor
Using Internal DB and Reporting Capabilities
1
1. Lobby Ambassador create Guest WCS
Account with policies Lobby Ambassador Portal
Guest Account Database
2. Guest Account credentials Monitoring & reporting`
& rules are pushed to WLC

3. Credentials are delivered to Guest by 2
Print or Email with customized Logo Wireless LAN Controller
Policy Enforcement
4. Guest Authentication Guest Web Portal
on Guest portal 3 5
Internet
5. SNMP Trap with guest login information
(MAC@, IP@, …) 6
Corporate
Network
6. Traffic can go through
4
Guest

Brkewn 2016 2

Uploaded by

Copyright:

Available Formats

Brkewn 2016 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkewn 2016 2

Uploaded by

Copyright:

Available Formats

Designing Unified Guest Access,

Wired and Wireless

 We value your feedback—don't forget to complete

 Overview: Guest Access as a Supplementary

Partners Data Center

Centralized Web Sponsored

Parity for ACS 5.1

Employee Enterprise Directory

Integrated Access Authentication

 Web Auth is a supplementary authentication method

 Primary Use Case: Guest Access

CAPWAP—Control And Provisioning

 Use of up to 71 EoIP tunnels to logically segment Internet

 Original guest’s Ethernet frame maintained Wireless LAN

 2100 series and WLCM models can not

 Optional management/operational protocols:

802.1q, GRE, LSP, 802.1q or Others

 CAPWAP path isolation Outside

 L3 VRF isolation from Corporate

 Wired Guest Access Enforcement Point can be

Host Acquires IP Address, Triggers Session State

Host Opens Browser

Switch Queries AAA Server Server

6 Switch Applies New ACL Policy

 Access using Guest Provisioning

 Web Authentication by Corporate

Catalyst switches Intranet Guest DMZ

 Wired Guest Isolation

with VRF for L3 Isolation L3 Switches with VRF

 Wired Guest ports provided in DMZ or Anchor

the Guest VLAN will be trunked Isolated L2 VLAN

 On a multi controller deployment

 Wireless is the preferred Guest Access technology

 Wireless and Wired Guest Authentication Portal is

 Wireless guest user

 Web login page will displayed

 Wired Auth-Proxy Banner

(config)#ip admission auth-proxy-banner http ^C

 Configurable HTML pages on bootflash:

4 files, 8KB max each

NAC Guest Server (NGS)

 Multi-function standalone appliance

POST to switch: Switch

 Might be performed by non IT personal

 Cisco Guest Access Solution support several

Cisco Dedicated Provisioning

 Lobby Ambassador accounts can be created

1. IT Administrator configures NGS: 1

 Sponsor or LA access rights

2. IT Admin configures WLC Wireless LAN Controller

 Define Guest SSID

 Associate NGS as RADIUS Server

 The sponsor account can be a local user in

1. Sponsor creates Guest Account

4. RADIUS Request from WLC to Cisco Wireless LAN Controller

Several Ways to create Guest Accounts

Tools to Manage Guest Accounts

 NGS Aggregate Guest Internet

Reporting Informations DMZ or Anchor