Cisco-Wireless-Guest-v10.pptx

108 views 45 slides Sep 03, 2023
Slide 1
Slide 1 of 45
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45

About This Presentation

WLAN Guest ppt

Size: 8.27 MB
Language: en
Added: Sep 03, 2023
Slides: 45 pages

Slide Content

Solutions Overview and Positioning Wireless Guest Access

Why this presentation? CMX ISE WLC https:// isepb.cisco.com EMSP

ISG – Intelligent Services Gateway http:// www.cisco.com /c/en/us/products/collateral/ ios - nx - os -software/intelligent-services-gateway- isg /prod_bulletin0900aecd804a2c70. html More dedicated to SP scenarios. I n some use cases it might be used as an alternative to the presented solutions, in case scalability limits are hit. What we will not cover

Secure SSID Open SSID A secure SSID cannot fall back to open. Example: guests not supporting 802.1X cannot fall back to web portal authentication on the same SSID as corporate users. Pre- shared keys (PSK) and keys derived from 802.1X cannot co-exist on a secure SSID. On both types of SSIDs you can combine multiple identity services if needed. Examples : guest users going through posture assessment, employees going through MDM, employees going through web portal after device authentication, etc . Guest SSID – Secure or O pen ?

To PSK or not to PSK? Q: Can I deploy PSK on top of web auth ? A: Yes. But… It is not much more secure than Open, since all users will anyway share the same key. It adds extra burden to the end users, who would need to ask for the PSK to the helpdesk. PSK + LWA has always been supported. PSK + CWA is supported starting from AireOS 8.3. Q: Hey Cisco, why don’t you deploy a guest portal at Cisco Live? A: We cannot / don’t want to because: The WLC has a limitation of up to 2,000 clients in the WEBAUTH_REQD run state (i.e., being redirected to the web portal and not yet fully authorized). For such a big event with thousands of users, we prefer to avoid passersby to connect to the Cisco Live network from the street and to add even more clients.

WLC native guest

AP-WLC DHCP/DNS RADIUS Server Additionally: MAB 802.1X Pre- webauth ACL Client acquires IP Address and resolves DNS HTTPS(S) request Login page redirect Client sends credentials WLC queries the RADIUS server RADIUS server returns policy Server authorizes user WLC a pplies new WebAuth policy (L3) SSID with WebAuth a.k.a. Local Web Authentication (LWA) 7 LOCAL because the redirection URL and the pre- webauth ACL are locally configured on the WLC. MAB 802.1X Local Web Auth 1 2 3 4 5 6

AP-WLC DHCP/DNS Ext. Web/RADIUS Server Pre- webauth ACL Client acquires IP Address and resolves DNS SSID with WebAuth LWA with external web server redirect 1 2 3 HTTP(S) request Ext. page redirect 4 Client goes to the ext. server and enters credentials Server redirects back to WLC’s virtual IF with client’s credentials Server “authorizes” user 5 6 HTTPS request with credentials WLC queries the RADIUS server RADIUS server returns policy Server really authorizes user 7 WLC a pplies new WebAuth policy (L3) 8 LOCAL because the redirection URL and the pre-webauth ACL are locally configured on the WLC. MAB 802.1X Local Web Auth Additionally: MAB 802.1X

AP-WLC DHCP/DNS NGS Pre- webauth ACL Client acquires IP Address and resolves DNS SSID with WebAuth Cisco NAC Guest Server (NGS) 1 2 3 HTTP(S) request Ext. page redirect 4 Client goes to the ext. server and enters credentials Server redirects back to WLC’s virtual IF with client’s credentials Server “authorizes” user 5 6 HTTPS request with credentials WLC queries the RADIUS server RADIUS server returns policy Server really authorizes user 7 WLC a pplies new WebAuth policy (L3) 8 Additionally: MAB 802.1X For your reference EoS September ’ 15 http:// www.cisco.com/c/en/us/products/collateral/routers/7600-series-routers/eos-eol-notice-c51-734104.html

10 For your reference http:// www.cisco.com /c/en/us/support/docs/wireless-mobility/ wlan -security/115951-web-auth-wlc-guide-00. html LWA – configuration example

The cool stuff It is integrated , has been there since ever and could technically work with any external web and RADIUS servers. It supports both local and external databases. It has a fairly good level of customization. It supports per-user assignment of some L3 policies (e.g. , QoS , rate limiting, etc.). It supports Lobby Ambassador users to create guest accounts, either on the WLC or through Prime too. It supports HTTPS certificate upload for the virtual interface. Recommended for : small campuses.

Let’s be aware that… The local database is limited to 2048 entries max. It is not as easy as ISE or CMX to customize. The Lobby Ambassador interface is not customizable and has limited options (e.g., no SMS support). The WLC’s web engine is limited to ~150 logins/sec and 2,000 clients in the WEBAUTH_REQD run state. With external portals, we’d need to trust 2 different certificates: the WLC virtual interface’s and the external web server’s.

Some more options with Prime

CMX Connect

Cisco’s former wireless location solution was called MSE (Mobility Services Engine). Up to MSE version 8.0, “MSE” still indicates both the server (physical appliance or virtual) and the software running on it. “CMX” initially was a new set of features, introduced in MSE 7.4, and which then took over the name for the whole Cisco’s wireless location and analytics solution. Today “MSE” still indicates the physical appliance (e.g., MSE 3365) and “CMX” indicates the software and all the location and analytics services. Example: CMX 10.2.2 runs on MSE 3365 or as a virtual image. What is Cisco CMX?

AP-WLC DHCP/DNS Web Server (CMX) Pre- webauth ACL Client acquires IP Address and resolves DNS SSID with WebAuth Web Passthrough (another form of LWA) LOCAL because the redirection URL and the pre- webauth ACL are locally configured on the WLC. Local Web Auth 1 2 3 HTTP(S) request Ext. page redirect 4 Client goes to the ext. server and completes some actions Server redirects back to WLC with Ok Server “authorizes” user 5 Success 6 HTTPS request with Ok

17 For your reference http://www.cisco.com/c/en/us/td/docs/wireless/mse/10-2/cmx_config/b_cg_cmx102/the_cisco_cmx_connect_and_engage_service.html Passthrough – configuration example

The cool stuff It supports different portals based on client’s location. It is quite easy to configure and customize . Neat look and feel on mobile devices. It supports social logins , registration forms and SMS (w/ Twilio ). It supports demographic data from social logins. Facebook Wi-Fi . Recommended for : pure hotspot use cases.

Let’s be aware that… No integration with external SIEM solutions for guest logging . For such a need, a FW/proxy should be used. It does not support dynamic L2/L3 policies assignment. Customization is limited (e.g., pre-canned elements, no native multi-language support, etc.). It is still limited by the WLC’s ~150 logins/sec. and 2,000 clients in the WEBAUTH_REQD run state .

Enterprise Mobility Services Platform (EMSP)

AP-WLC DHCP/DNS Web Server (EMSP) Pre- webauth ACL Client acquires IP Address and resolves DNS SSID with WebAuth Web Passthrough (kind of LWA) LOCAL because the redirection URL and the pre- webauth ACL are locally configured on the WLC. Local Web Auth 1 2 3 HTTP(S) request Ext. page redirect 4 Client goes to the ext. server and completes some actions Server redirects back to WLC with Ok Server “authorizes” user 5 Success 6 HTTPS request with Ok

22 For your reference Internal only: http://iwe.cisco.com/web/view-post/post/-/posts?postId=775600122 Passthrough – configuration example

The cool stuff It supports different portals based on client’s location. It is fully customizable and opens up scenarios for mobile apps integration. Neat look and feel on mobile devices. It “should” support user verification through SMS. It supports venue maps. It supports integration with merchant’s dynamic content.

The less cool stuff It does not support login/password, hence no external databases, Sponsor/Lobby Ambassador, etc. It does not support L2/L3 policies assignment. Full customization may become quite complex for casual users. It becomes very cumbersome to centralize users information for guest traffic logging. It is still limited by the WLC’s ~150 logins/ sec. and 2000 clients in the WEBAUTH_REQD run state . It is technically sold as a SW product, but AS might quickly become necessary.

http:// www.cisco.com/c/en/us/support/wireless/enterprise-mobility-services-platform/tsd-products-support-series-home.html and http:// www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Mobility/Mobility_Services/EMSP/emsp-3-0/Cisco-WiFi-Engage-with-CUWN-Configuration-Guide.pdf It’s a Cisco cloud based solution, usually purchased by partners, and which can then be proposed as a service to end customers. For more details

ISE Guest Portal

27 AP-WLC DHCP/DNS ISE Server Client acquires IP Address, Triggers Session State 4 Open SSID with MAC Filtering enabled 1 AuthC success; AuthZ for unknown MAC returned: Redirect/filter ACL, portal URL Client opens browser – WLC redirects browser to ISE web page Login Page Client enters Username/Password 5 Web Auth Success results in CoA Server authorizes user 6 MAB re-auth MAB Success Session lookup – policy matched Authorization ACL/VLAN returned. 7 First authentication session 2 3 CENTRAL because the redirection URL and the pre- webauth ACL are centrally configured on ISE and communicated to the WLC via RADIUS. Central Web Auth Central Web Authentication (CWA) Note: you can also use ISE as the external web server for LWA if you do not want to / cannot use CWA.

For your reference CWA – c onfiguration example http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Usually better resiliency: LWA may rely on DNS, CWA relies on the first available ISE PSN. Different portals for different locations (e.g., AP group, FlexConnect group, AP location, etc.). LWA supports dynamic assignment of L3 policies only (e.g., ACL, QoS , rate limiting, etc.). CWA supports dynamic assignment of both L2 (i.e., VLAN) and L3 policies. Note: VLAN assignment is highly not recommended for plain CWA scenarios. However, it can apply to some 802.1X+CWA scenarios. Why CWA over LWA? For your reference

Different portals for different locations How could we redirect guests from a specific WLAN or a specific location to separate portals? 30 For your reference

Different portals for different locations 31 RADIUS [30] Called-Station-ID For your reference

802.1X + CWA (ISE 1.3+) Use Case: Machine and User Authentication for Mobiles WLC ISE 1.3 Machine Profile Machine+ User Profile For your reference

The cool stuff It has the most complete set of options for guest access verification (self-service, SMS, email, common code, etc.). It is fully customizable, even with the Portal builder on Cisco cloud : https:// isepb.cisco.com It’s the only solution supporting assignment of both L2 and L3 policies. It supports both internal and external databases. It supports up to 1M local guest accounts, different portals based on client’s location and certificate(s) on ISE only.

The less cool stuff CWA does not work with non-Cisco network devices nowadays (it should be addressed in ISE 2.0). The admin needs to be familiar with access control solutions and techniques (e.g., LWA vs. CWA). Even if there are dedicated “portal admins” using the Portal Builder, it is up to the “ISE admin” to configure portal policies. The guest database cannot be exported/backed up. Guest portals are limited to ~150 logins/sec per PSN (3495). You can still load balance between PSN’s. It does not support social logins (yet).

How about Meraki?

It’s not all just about guests… Usually customers choose Cloud vs. On Premise based on other major needs, rather than guest. In case the customer chose Meraki, the major features for guests would be: Easy portal customization. Internal and external database support for RADIUS authentication. SMS authentication with Twilio . Integration with a billing system. Integration with Meraki’s MDM. Some Sponsor/Lobby Ambassador options. Support for ISE CWA.

What customers also ask for

How can I support payments by credit card? You should have hurried up and bought the previous NAC Guest Server solution ( EoS Sept. ‘15) Support for a single provider. Not too many asks. http:// www.cisco.com /c/en/us/td/docs/security/ nac / guestserver / configuration_guide /21/ nacguestserver /g_hotspots.html#wp1068767

How can I log guest users’ traffic? We’d need to deploy different components data traffic web portal traffic inline devices with potential traffic visibility

“RADIUS accounting: user ABC, IP XYZ, etc.” “SYSLOG: IP XYZ sent this traffic” IP XYZ > user ABC so “user ABC sent this traffic ” Example - logging traffic on ISE http:// www.cisco.com /c/en/us/support/docs/security/ nac -appliance-clean-access/110304-integrated-url-log.html

How can I log guest users’ traffic? What customers sometimes prefer data traffic web portal traffic inline devices with potential traffic visibility

Some quick and dirty positioning examples

Typical needs: Basic guest account creation options and customization. Support for sponsor/lobby administrator. Few locations. Positioning: Native WLC’s guest portal with customizable web auth bundle: https:// software.cisco.com /download/ release.html?mdfid =282600534&flowid=7012&softwareid=282791507&release=1.0.2&relind= AVAILABLE&rellifecycle =& reltype = latest Some additional options (e.g., email sending) through Prime. ISE Express could be a valuable entry level solution too: http :// www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/qa_c67-736030.html Small Campus

Typical needs: Differentiated guest account creation options and customization. Support for multiple sponsor groups and privileges. Multiple locations with 802.1X most likely already in place. Positioning: ISE with the latest guest/sponsor features. Extended customization, with guest and sponsor management. Support for differentiating portals based on locations (e.g., AP location, AP group, FlexConnect group, etc.). ISE Portal Builder: https:// isepb.cisco.com Medium/Large Campus

Typical needs: Mass guest logins management for hotspot only, not for employees. Simple fill-in forms or social login. Multiple locations with quick customization and advertisement options . Positioning: CMX Connect (or even EMSP). For very large venues (e.g., stadiums) going beyond the 2,000 WEBAUTH_REQD clients limit, an SP-based solution might be needed (e.g., Cisco ISG or similar). Very quick customization options and no guest database management needed. Public Hotspot (retail, healthcare, events, etc.)
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 108
  • Slides 45
  • Age 820 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category