BRKEWN-2013 Deploying Wireless Guest Access

Deploying Wireless Guest Access
BRKEWN-2013
BRKEWN-2013 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Abstract
This session focuses on design requirements and deployment considerations for a
wireless guest access solution. It discusses the main components of an end-to-end
guest access solution including how to provide network access to visitors and route
guest traffic across the network that is safe and secure. Attendees will be introduced
to a detailed discussion on various guest access services directly on the wireless LAN
controllers (WLC), management of Guest services using Cisco Prime Infrastructure,
and integration with the Identity Services Engine (ISE) for various external web
authentication services such as sponsored and self-service options. We will also
discuss FlexConnect, Guest Anchor, and enhanced guest security with WLC and ISE.
This session is especially useful for those attendees responsible for the Design,
Deployment, Operations and Management of Enterprise Campus Wireless Networks.
It is assumed that those attending this session have a working knowledge of LAN
switching and routing, fundamentals in 802.1x and Network Admission Control.
Knowledge of 802.11 WLAN fundamentals and WLAN security is required.
Agenda
 Overview : Guest Access as a Supplementary User

Authentication
 Guest Access Control & Path Isolation
 Secure Guest in FlexConnect
 Guest Authentication Portal
 Guest Provisioning
 Monitoring & Reporting
Session Objectives
 Understand what makes up a wireless guest access service

 Learn about the importance of isolating guest traffic
 See how secure guest access is integrated in Cisco Wireless
 Understand guest services in a FlexConnect environment
 Discover how Cisco ISE enhances guest services
Guest Access Overview
...
Evolution of Network Access Access
Health Location Time Method
Age of the Borderless Network
Mobile Hotspot
Employee
Workers (Sales)
Personal VPN Managed Printer
Devices Desktop? (Payroll)
VPN
Internet Employee
(Finance)
VPN Managed
Security
Systems Desktop?
Employee
(Sales)
Managed Branch Campus
Desktop? Network Network
Internal
Printer Resources
(Sales)
Guest
Wireless Guest Game Contractor

Employee Wireless
Console
IP Camera Employee
Context-Based Access
Who = User Identity
 Known/Managed Users (Long-term)
Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors
Primary Auth Methods: 802.1X or Agent-based

Considerations:
Identity Stores
EAP types and supplicant
 Unknown/Unmanaged Users (Temporary or Infrequent Access)
Examples: Guests, Visitors, Short-term Partners/Contractors
Primary Auth Method: Web authentication
Considerations:
Web Redirection and Authentication Portals
Guest Provisioning and Identity Stores
Corporate vs Guests
Employee ISE
1 EAP Authentication
2 Accept with VLAN 30 4 Accept with GUEST ACL

Corporate
Resources
VLAN 30
CAPWAP
802.1Q Trunk VLAN 50

3 Web Auth Internet
Guest
Device
• Users with Corporate Devices with their AD user id can be assigned to

Employee VLAN
• Guests authenticate via Web Auth and are assigned to a GUEST-ACL on
the Guest VLAN
Requirements for Secure Guest Access
Technical
 No access until authorised
 Guest traffic should be segregated from the internal network
 Web-based authentication
 Full auditing of location, MAC, IP address, username
 Overlay onto existing enterprise network
 Bandwidth and QoS management
Usability
 No laptop reconfiguration, no client software required
 Plug & Play
 Splash screens and web content can differ by location
 Easy administration by non-IT staff
 “Guest network” must be free or cost-effective and non-disruptive
Monitoring
 Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP)
before access is granted
 Logging and Monitoring
 Must not require guest desktop software or configuration
Guest Access Components
Customisable
Centralised Web •Flexible Sponsored
Login Page
Page Management
•AccessGuest Credentials
Policies
•Centralised Accounting
802.1X/MAB
Compatibility
•Centralised Web Page
Flexible
Access Policies Management
Guest • Sponsored Guest
NAC Guest Server
Credentials
Identity Services Engine
Parity for ACS 5.1
Wired / Wireless Centralised Accounting
Employee Enterprise Directory

Existing Credential Stores
Integrated Access Authentication

Guest Access Control &
Path Isolation
Access Control
End-to-End Wireless Traffic Isolation
LWAPP/CAPWAP APs
The fact
 Traffic isolation achieved
via LWAPP/CAPWAP valid
from the AP to the WLAN
Controller
The challenge CAPWAP
 How to provide end-to-end

wireless guest traffic
isolation, allowing internet
access but preventing any
other communications?
CAPWAP
CAPWAP AP
Path Isolation
Why Do We Need It for Guest Access?
 Extend traffic logical

isolation end-to-end
over L3 network domain
 Separate and
differentiate the guest
traffic from the corporate
CAPWAP
internal traffic (security
policies, QoS,
bandwidth, etc.)
 Securely transport the
guest traffic across the
CAPWAP
internal network
infrastructure to DMZ
Guest Access Control
Cisco WLAN Controller Deployments
 LWAPP/CAPWAP tunnel is a Layer 2
tunnel (encapsulates original Ethernet WiSM WLAN Controller
frame) Wireless
 Same LWAPP/CAPWAP tunnel used VLANs
for data traffic of different SSIDs
 Control and data traffic tunneled Si
to the controller via LWAPP/CAPWAP:

data uses UDP 12222/5247 Campus Core
LWAPP/CAPWAP
control uses UDP 12223/5246 LWAPP/CAPWAP
 Data traffic bridged by WLAN controller

on a unique VLAN corresponding to Si Si
each SSID
 Traffic isolation provided by VLANs is
valid up to the switch where the
controller is connected
LWAPP—Lightweight Access Point Protocol

CAPWAP - Control And Provisioning of Wireless Access Points
BRKEWN-2013 Guest
© 2013 Cisco and/or its affiliates. All rights reserved. Emp Cisco Public Guest Emp 15
Solution #1: Path Isolation using EoIP
WLAN Controller Deployments with EoIP Tunnel
 Use of up to 71 EoIP tunnels to logically segment and
transport the guest traffic between remote and anchor Internet
controllers
DMZ or Anchor
 Other traffic (employee for example) still locally bridged at Wireless Controller
the remote controller on the corresponding VLAN
Cisco ASA Firewall
 No need to define the guest VLANs
on the switches connected to the
EoIP
remote controllers “Guest Tunnel”
 Original guest’s Ethernet frame maintained across Wireless LAN
LWAPP/CAPWAP and EoIP tunnels Controller
 Redundant EoIP tunnels to the CAPWAP
Anchor WLC
 2100/2500 series and WLCM models can not terminate
EoIP connections (no anchor role) or support IPSec
Encrypted Tunnels on the remote WLC
Guests
Guest Network Redundancy
A1 A2
 Using EoIP Pings (data path) Internet Management Management
10.10.75.2 10.10.76.2
functionality Anchor WLC reachability
will be determined
 Foreign WLC will send pings at
configurable intervals to see if Anchor EtherIP Si
EtherIP
WLC is alive “Guest “Guest
Tunnel” Campus Core Tunnel”
 Once an Anchor WLC failure is
detected a DEAUTH is send to
the client Secure
Si Secure
Si
 Remote WLC will keep on monitoring

the Anchor WLC F1
 Under normal conditions round-robin Guest VLAN 10.10.60.x/24
fashion is used to balance clients CAPWAP Management 10.10.80.3 CAPWAP
between Anchor WLCs Wireless

VLANs
Primary Link
Guest Secure Guest Secure
Redundant Link
Implementing Guest Path Isolation Using WLC
Building the EoIP Tunnel
1. Specify a mobility group for each WLC
2. Open ports for:
• Inter-Controller Tunneled Client Data
• Inter-Controller Control Traffic
• EoIP tunnel protocol
• Other ports as required
3. Create Guest VLAN on Anchor controller(s)
4. Create identical WLANs on the Remote and Anchor controllers
5. Configure the mobility groups and add the MAC-address
and IP address of the remote WLC
6. Create the Mobility Anchor for the Guest WLAN
7. Modify the timers in the WLCs
8. Check the status of the Mobility Anchors for the WLAN
Guest Path Isolation
Remote Controller Configuration
 Anchor and Remote WLCs are configured in different Mobility Groups
Anchor and Remote Controller Configuration
 Configure Guest WLANs on the Remote and Anchor controllers

 Configure Guest VLAN on the Anchor WLC
Anchor and Remote Controller Configuration
 Configure the mobility groups and add the MAC-address and IP address of the remote
WLCs
Anchor
Remote
Remote Controller Configuration
 Create the mobility anchor for the guest WLAN on Remote WLCs
Anchor Controller Configuration
 Create the Mobility Anchor for the guest WLAN on Anchor WLC
Path Isolation
Anchor Controller
 Modify the timers and DSCP on the Anchor WLCs
 Check the status of the mobility anchors for the WLAN
Firewall Ports and Protocols
 Open ports in both directions for:

EoIP packets IP protocol 97 Must
Mobility UDP Port 16666 be Open!
Inter-Controller CAPWAP (rel 5.0, 6.0, 7.0+) Data/Control Traffic UDP 5247/5246
Do NOT
Inter-Controller LWAPP (before rel 5.0 ) Data/Control Traffic UDP 12222/12223 Open!
 Optional management/operational protocols:

‒ SSH/Telnet TCP Port 22/23
‒ TFTP UDP Port 69
‒ NTP UDP Port 123
‒ SNMP UDP Ports 161 (gets and sets) and 162 (traps)
‒ HTTPS/HTTP TCP Port 443/80
‒ Syslog TCP Port 514
‒ RADIUS Auth/Account UDP Port 1812 and 1813
Solution #2: Guest Path Isolation using VRF
Campus Virtualisation
 Virtual Routing / Forwarding (VRF) or VRF- lite is the L3
virtualisation used in Enterprise Campus networks
 Guest isolation is done by dedicated VRF instances
802.1q, GRE, MPLS/LSP, 802.1q or Others

Physical Int, Others
Guest VRF
Employee VRF
Global
Logical or Physical Int Logical or Physical Int
(Layer 3) (Layer 3)
Guest Path Isolation using VRF
WLC and VRF Virtualisation
Guest Provisioning
Internet
 LWAPP/CAPWAP Path
Isolation at Access Layer Outside
Cisco ASA
 L2 Path Isolation between

Inside
Corporate Firewall
Intranet Guest DMZ
WLC and Default Gateway Guest VRF
 L3 VRF Isolation from WLC Si

L3 Switches with VRF
to Firewall Guest DMZ Isolated L2 VLAN
interface Corporate
Wireless LAN Access Layer
Controller
CAPWAP
Guest VRF
Employee VRF
Guests
Global
Wireless Guest Access
Deployment Options Summary
Internet Internet Internet DMZ WLC
NCS NCS
EoIP
LAN LAN LAN
NCS
No DMZ WLC VRF DMZ WLC

Cisco Unified Wireless Cisco Unified Wireless Cisco Unified Wireless
No DMZ Controller VRF DMZ Controller
Provisioning Portal Yes Yes Yes

User Login Portal Yes Yes Yes
Yes—Tunnels
Traffic Segmentation VLANs thru Network VRF thru Network
or VLANs
User Policy Management Yes Yes Yes
Reporting Yes Yes Yes
Overall Functionality Medium High High
Overall Design Complexity Medium High Low
Securing Access with FlexConnect
FlexConnect and External WebAuth
URL/ACL Radius  ISE for external webauth with FlexConnect
central authentication with local switching.
Auth
 Guest client is provided with URL/ACL permit
to ISE
WAN
 Clients does webauth with ISE
 Guest moves to local switching
Branch
URL/ACL
Radius Auth
Webauth
VLAN Assignment
Guest with FlexConnect
Identity Branch Office
Guests
Corporate
AP Internet
Branch VLAN
Corporate
Intranet
ASA Firewall
DMZ VLAN
Cisco 3750 Switch
Anchor Controller
EOIPTunnel
WLC - Virtual Controller (FlexConnect Mode)
Active Directory Server
Certificate Authority Server
CWA on Wireless Controllers
Contractor Guest
Guest-SSID
MAB
Blocking non-HTTP/DHCP/DNS Traffic Access Point
Default Policy
WLC
Redirect ACL
&
URL Redirect
AD / CA ISE Guest DB ISE
Pre-Requisites
Foreign Controller – Step-by-Step
1 Configure
Interfaces
Foreign WLC
10.1.100.61/ 00:50:56:B0:01:0E
2 Configure
Mobility Group Members
Anchor WLC
10.10.20.5/ D0:c2:82:dd:88:00
1 Configure
Interfaces
2 Configure
3 Configure WLAN
4 Configure Mobility Anchors Anchor WLC
10.10.20.5/ D0:c2:82:dd:88:00
BRKEWN-2013 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pre-Requisites
Anchor Controller Allow Access to ISE for
Step-by-Step CWA (URL-Redirect)
NOT Required
Anchor Controller
Step-by-Step
Configure
1 Interfaces
Foreign WLC
10.1.100.61/ 00:50:56:B0:01:0E
2 Configure
Mobility Group Members Anchor WLC
10.10.20.5/ D0:c2:82:dd:88:00
Anchor Controller - Step-by-Step
1 Configure
Interfaces
2 Configure
3 Configure WLAN Anchor WLC
10.10.20.5/ D0:c2:82:dd:88:00
Foreign WLC
4 Configure Mobility Anchors
10.1.100.61/ 00:50:56:B0:01:0E
Review Wireless CWA Config
CWA – Session Flow ISE Server
Foreign WLC
Anchor WLC
EoIP Tunnel
10.1.100.61/ 00:50:56:B0:01:0E 10.10.20.5/ D0:c2:82:dd:88:00
Guest SSID
Foreign WLC
Anchor WLC
EoIP Tunnel
10.1.100.61/ 00:50:56:B0:01:0E 10.10.20.5/ D0:c2:82:dd:88:00
User Open Browser
Foreign WLC
Anchor WLC
EoIP Tunnel
10.1.100.61/ 00:50:56:B0:01:0E 10.10.20.5/ D0:c2:82:dd:88:00
User Open Browser
Guest Services Portal
When to Use Web-Authentication ?
802.1X MAB Web Auth
Managed 802.1X-devices (mac-address bypass) Users without 802.1X devices
Known users Managed devices Users with Bad credentials
SSC SSC
Employee Employee
(bad credential)
Guest
802.1X
 Web Auth is a supplementary authentication method
Most useful when users can’t perform or pass 802.1X
 Primary Use Case: Guest Access
Secondary Use Case: Employee who fails 802.1X
Guest Authentication Portal
Internal (Default Web Authentication Pages)
• Wireless Guest Authentication Portal is available in 4 modes:

• Customised (Downloaded Customised Web Pages)
• External Using ISE Guest Server
• External (Re-directed to external server)
Wireless Guest Authentication Portal
Internal Web Portal
 Wireless guest user associates to
the guest SSID
 Initiates a browser connection to
any website
 Web login page will displayed
Fixed Welcome Text
Login Credentials
Customisable Web Portal
 Create your own Guest Access Portal web pages

 Upload the customised web page to the WLC
 Configure the WLC to use “customisable web portal”
 Customised WebAuth bundle up to 5 Mb in size can contain
‒ 22 login pages (16 WLANs , 5 Wired LANs and 1 Global)
‒ 22 login failure pages (in WLC 5.0 and up )
‒ 22 login successful pages (in WLC 5.0 and up)
External Web Portal
 Set in WLC > Security >

WebAuth > Login
 Or override at Guest WLAN
 Option to use Pre-Auth
ACL
Wireless Guest
Centralised Login Page
1) Administrator Creates WLAN Login Page

on ISE
2) Wireless Guest Opens Web browser
3) Web traffic is intercepted by Wireless
LAN Controller and redirected to Guest
Server.
4) Guest Server returns centralised login
page (1)
(3)
(2)
Redirect
AP WLC (4)
ISE
Guest Services Provisioning
Line Chart Example
6
Series 1
3 Series 2
Series 3
Series 4
2
0
Category 1 Category 2 Category 3 Category 4
Source: Placeholder for Notes is 18 points

Requirements for Guest Provisioning
 Might be performed by non-IT user

 Must deliver basic features, but might also require
advanced features:
‒ Duration,
‒ Start/End Time,
‒ Bulk provisioning, …
 Provisioning Strategies :
‒ Lobby Ambassador
‒ Employees
Multiple Guest Provisioning Services
 Cisco Guest Access Solution support several provisioning tools,
with different feature richness.
Customer Server
Included in Cisco Wireless LAN Solution Cisco
Customised Provisioning
Cisco Prime Dedicated Provisioning
Infrastructure
Cisco Advanced Provisioning
Wireless LAN
Controller Customer Development
Basic Provisioning Additional Cisco Product
Guest Provisioning Service : WLC
Cisco Wireless LAN Controller
 Lobby Ambassador accounts can be created directly on

Wireless LAN Controllers
 Lobby Ambassadors have limited guest feature and must
create the user directly on WLC:
• Create Guest User – up to 2048 entries
• Set time limitation – up to 35 weeks
• Set Guest SSID
• Set QoS Profile
Guest Provisioning Service
Create the Lobby Admin in WLC
 Lobby administrator can be created in WLC directly
Local WLC Guest Management
Password is Created
Quickly Create Guest

with Time and WLAN Guest Web Login
Profile
Guest Provisioning Service : NCS
Cisco Prime Network Control System
 NCS offer specific Lobby Ambassador access for Guest

management only
 Lobby Ambassador accounts can be created directly on NCS,
or be defined on external RADIUS/TACACS+ servers
 Lobby Ambassadors on NCS are able to create guest
accounts with advanced features like:
• Start/End time and date, duration,
• Bulk provisioning,
• Set QoS Profiles,
• Set access based on WLC, Access Points or Location
Lobby Ambassador Feature in NCS
• Associate the lobby admin with Profile and Location specific information
Add a Guest User with NCS
Print/E-Mail Details of Guest User
Schedule a Guest User
Cisco Guest Services
Table Example
Header Header Header Header Header
Data 500 400 300 200
Data 100 200 300 400
Data 80 70 60 50
Data 5000 300 400 2000
Data 20 20 20 20
TOTAL 5700 990 1080 2470
Source: Placeholder for Notes is 18 points

Cisco ISE Guest Server Lobby Ambassador
Employee Sponsor
Guest User Creation
1
1. Sponsor creates Guest Account ISE Guest Server
through dedicated ISE server Lobby Ambassador Portal
Guest Account Database
Monitoring & reporting
2. Credentials are delivered to Guest
by print, email or SMS 5 RADIUS Requests
Wireless LAN Controller

3. Guest Authentication on Guest portal RADIUS Policy Enforcement
Accounting 4 Guest Web Portal
4. RADIUS Request from WLC to 2 6
Cisco ISE Server Internet
5. RADIUS Response with policies 7

Corporate
(session timeout, …) Network
6. RADIUS Accounting with session 3

information (time, login, IP, MAC, …)
7. Traffic can go through
Guest
Visitor, Contractor, Customer
Web Auth and Guest Access
Wireless Considerations
 WLC 7.0 – Supports LWA; 7.2
adds CWA support
 ISE Guest Services requires
account activation; Initial web
auth must be against ISE
guest portal (LWA or CWA). As
a result…
o Requires ISE be the web auth
portal for LWA; No support for
hosting guest portal on WLC
o For anchor controller
deployments, requires pinhole
through DMZ firewall back to
ISE PSN on tcp/8443 from
guest IP address pool.
Web Auth and Guest Access
 LWA vs CWA piggybacks on MAB authentication policy rule.
Configure:
If User Not Found = Continue (default Reject)
If MAC address lookup fails, reject the request and

send access-reject.
If MAC address lookup returns no result, continue

the process and move to authorisation
URL Redirection
Central Web Auth, Client Provisioning, Posture
 Redirect URL: For CWA, Client Provisioning, and Posture, URL value
returned as a Cisco AV-pair RADIUS attribute.
Ex: cisco:cisco-av-pair=url-redirect=
https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
 Redirect ACL: Access devices must be locally configured with ACL

that specifies traffic to be permitted (= redirected) or denied (= bypass
redirection)
ACL value returned as a named ACL on NAD
Ex: cisco:cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT
ACL entries define traffic subject to redirection (permit) and traffic to bypass
redirection (deny)
 Port ACL: ACL applied to the port (default ACL, dACL, named ACL)
that defines traffic allowed through port prior to redirection
Common URLs for Redirection
 URL Redirect for Central Web Auth
Cisco:cisco-av-pair=url-redirect=
https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action
=cwa
 URL Redirect for Client Provisioning and Posture
https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action
=cpp
 URL Redirect ACL
Cisco:cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT
 LWA URL for Default ISE Guest Portal:
https://ip:8443/guestportal/portal.jsp
 LWA URL for Custom ISE Guest Portal:
https://ip:8443/guestportal/portals/ClientPortalName/portal.jsp
 CWA URL redirect for Custom ISE Guest Portal:
https://ip:8443/guestportal/gateway?portal=ClientPortalName&sessionI
d =SessionIdValue&action=cwa
ISE Sponsored Guests – Sponsor Portal
 Customisable Web
Portal for Sponsors as
well
 Authenticate Sponsors
with corporate
credentials
‒Local Database
‒Active Directory
‒LDAP
‒RADIUS
‒Kerberos
Guest Portal Localisation
Several Languages are
Supported Natively in ISE 1.1
All guest user pages are

translated:
• Authentication page
• Acceptable usage policy
• Success/failure page
ISE Sponsored Guest
URL-REDIRECT
ISE Guest Server
1. Guest is re-directed to the ISE Guest Portal when Browser is launched.
3. Account is verified
on ISE decision
point against the
Guest User Identity
2. Guest enters the credentials created Store
by the Sponsor GUEST
Identity Store
ISE Self-Registration
ISE Guest Server
4. Guest is re-directed again to login again with auto generated username/ password.
6. Account is monitored
Internet via the timed profile
settings.
5. Guest is provisioned with Authorisation

Policy for Web Access Only GUEST
Identity Store
ISE Guest User Portal Settings
 Guest Portals define what
Guests Users will be
allowed to perform
• Guests can change
password
• Guests change password
at first login
• Guests can be allowed to
download the posture
client
• Guests can do self service
• Guests can be allowed to
do device registration
Cisco ISE Guest Server
Sponsor Authentication: Local Account/AD
Assign user / group to Sponsor
Integrate with Active Directory
Order Priority Sequence to AD > Internal

Guest Portal Customisation
Multi-Portal Policies Username Policy
Password Policy
Localisation
Time Profiles
Sponsor Portal
 https://<ise-server-ip>:8443/sponsorportal/
Sponsor – Guest Account Creation
Create/View/Modify
Guest Accounts
Personal Settings
Tools to Manage
Guest Accounts
Email / Print / SMS
Guest Monitoring, Reporting and
Troubleshooting
Live Guest Verification - ISE
 Monitor > Operations > Authentications window will show all
Authentications including Guests
 Identity and Authorisation can be found for Guests
Guest Monitoring - NCS
 Monitor > Clients and Users window will show all Authentications
including Guests
 Identity and Authorisation can be found for Guests
Guest Activity Reporting - ISE
Guest Reports
Drill Down Guest Detail
Guest Activity Reporting - NCS
Customised Profile and Variable Reporting

Scheduling Periods
Summary
What We Have Covered…
 What Guest Access Services are made of.

 The need for a secured infrastructure to support isolated Guest
traffic.
 Unified Wireless is a key component of this infrastructure.
 The Guest Service components are integrated in Cisco Wired and
Wireless Solution.
 Securing FlexConnect is simple to understand and configure.
 Guest Access is one of the User Access Policy available to Control
and Protect enterprise Borderless Network
 Cisco TrustSec enhances Guest Services overall.
BRKEWN-2013
Recommended Reading
Q&A
Complete Your Online Session
Evaluation
Give us your feedback and receive
a Cisco Live 2013 Polo Shirt!
Complete your Overall Event Survey and 5
Session Evaluations.
 Directly from your mobile device on the
Cisco Live Mobile App
 By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
 Visit any Cisco Live Internet Station located
Don’t forget to activate your
throughout the venue
Cisco Live 365 account for
Polo Shirts can be collected in the World of access to all session material,
Solutions on Friday 8 March 12:00pm-2:00pm communities, and on-demand and live activities throughout
the year. Log into your Cisco Live portal and click the
"Enter Cisco Live 365" button.
www.ciscoliveaustralia.com/portal/login.ww
BRKEWN-2013 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

BRKEWN-2013 Deploying Wireless Guest Access

Uploaded by

Copyright:

Available Formats

BRKEWN-2013 Deploying Wireless Guest Access

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKEWN-2013 Deploying Wireless Guest Access

Uploaded by

Copyright:

Available Formats

Deploying Wireless Guest Access

 Overview : Guest Access as a Supplementary User

 Understand what makes up a wireless guest access service

Wireless Guest Game Contractor

Primary Auth Methods: 802.1X or Agent-based

2 Accept with VLAN 30 4 Accept with GUEST ACL

802.1Q Trunk VLAN 50

• Users with Corporate Devices with their AD user id can be assigned to

Employee Enterprise Directory

Integrated Access Authentication

 How to provide end-to-end

 Extend traffic logical

to the controller via LWAPP/CAPWAP:

 Data traffic bridged by WLAN controller

LWAPP—Lightweight Access Point Protocol

 Remote WLC will keep on monitoring

between Anchor WLCs Wireless

 Anchor and Remote WLCs are configured in different Mobility Groups

 Configure Guest WLANs on the Remote and Anchor controllers

 Modify the timers and DSCP on the Anchor WLCs

 Check the status of the mobility anchors for the WLAN

 Open ports in both directions for:

 Optional management/operational protocols:

802.1q, GRE, MPLS/LSP, 802.1q or Others

 L2 Path Isolation between

 L3 VRF Isolation from WLC Si

No DMZ WLC VRF DMZ WLC

Provisioning Portal Yes Yes Yes

AD / CA ISE Guest DB ISE

4 Configure Mobility Anchors Anchor WLC

3 Configure WLAN Anchor WLC

User Open Browser

User Open Browser

• Wireless Guest Authentication Portal is available in 4 modes:

Fixed Welcome Text

 Create your own Guest Access Portal web pages

 Set in WLC > Security >

1) Administrator Creates WLAN Login Page

Source: Placeholder for Notes is 18 points

 Might be performed by non-IT user

Basic Provisioning Additional Cisco Product

 Lobby Ambassador accounts can be created directly on

 Lobby administrator can be created in WLC directly

Quickly Create Guest

 NCS offer specific Lobby Ambassador access for Guest

Data 500 400 300 200

Data 100 200 300 400

Data 5000 300 400 2000

TOTAL 5700 990 1080 2470

Source: Placeholder for Notes is 18 points

Wireless LAN Controller

5. RADIUS Response with policies 7

6. RADIUS Accounting with session 3

If MAC address lookup fails, reject the request and

If MAC address lookup returns no result, continue

 Redirect ACL: Access devices must be locally configured with ACL

All guest user pages are

ISE Guest Server

1. Guest is re-directed to the ISE Guest Portal when Browser is launched.

ISE Guest Server