Providing Guest Access in the Enterprise Environment Using the Cisco WLAN Controller

Transcription

1 Providing Guest Access in the Enterprise Environment Using the Cisco WLAN Controller Author: Marcus Jones, Senior Wireless Training Specialist, CCSI, CCNA and CWNA

2 Providing Guest Access in the Enterprise Environment Using the Cisco WLAN Controller Introduction Imagine inviting a customer to your organization for a meeting. In the course of the meeting, your guest wishes to use your company s new service web site to check on the status of a shipment, or perhaps, check during a break. Without access to the Internet, your customer is unable to do these things. A guest network that provides the customer with access to the Internet would have been very helpful. While a guest network is important to your current and potential customers, it is imperative to create one that does not compromise the corporate network. This white paper, written by GigaWave s senior wireless training specialist, will reflect on the design and deployment of a guest network using the Cisco WLAN controller, isolated from the corporate network, that will provide both wired and wireless guest access. Guest Access Overview A guest network should be able to utilize, as much as possible, the existing network, both wired and wireless. A wireless guest network will need to provide a dedicated SSID for wireless guests. This SSID should be available throughout the corporate campus. Guest traffic should be isolated from the corporate network by the use of Layer 2 or Layer 3 techniques. Wired access from conference rooms or visitor stations should meet the same requirements. Access to the guest network should be managed so that the network is restricted to guests and does not become a public Wi-Fi network. Access should be able to be controlled by a guest host or lobby ambassador to prevent burdening the IT staff with creating and managing temporary guest access. Using the Cisco WLAN Controller to provide Guest Access Cisco s 4400 series WLAN controller can act as an anchor for the guest network. Utilizing Ethernet in IP (RFC3378) tunnels between the foreign WLAN controller to which the guest is connected and an anchor WLAN controller in the enterprise DMZ, a Layer three tunnel is created that isolates guest traffic from the corporate network without requiring additional access control lists (ACLs) and protocols making the implementation easier to accomplish. Wired guests can be configured so that they are passed through the foreign WLAN controller and utilize the same Ethernet in IP tunnel mechanism. In addition to providing the guest tunneling function, the WLAN controller can be configured to provide WEB access. This allows the guest to be provided with user credentials that are requested from either the internal WEB service on the WLAN controller or passed through to an external WEB service. The credentials can be entered into the system by a lobby ambassador using either direct connection to the controller or via the Cisco Wireless Control System (WCS). A lobby ambassador account provides limited access to the WLAN controller for the express purpose of creating and managing user names and passwords for guests. For long-term visitors, such as contract vendors, a user account can be entered into a AAA server database and managed by the IT staff. Page 1

3 The following diagram shows a guest network using foreign and anchor controllers. In the example above, a Wireless LAN Controller (WLC) is placed in the enterprise DMZ where it anchors the guest access. This anchor controller terminates the EoIP tunnels that originate on other controllers throughout the campus. Data received on the access point, using the GUEST SSID, is transported from the access point to the foreign controller in a Lightweight Access Point Protocol (LWAPP) tunnel and, from there, transported via an EoIP tunnel to the anchor controller. A wired guest is connected to a port on a Layer 2 access switch or a switch port with a virtual LAN (VLAN) interface designated for guest access traffic. All data on this VLAN is trunked to the controller. From the controller, the traffic is tunneled to the anchor controller which places the data on the guest VLAN just as it would a wireless client. In either case, by implementing WEB access, when the guest opens a browser to the Internet, he or she is presented with a log-in screen. Deploying the Anchor Controller The anchor controller is normally placed in the enterprise Internet DMZ. The firewall should be configured with rules to manage communications between the authorized foreign controllers and the anchor controller. To restrict communications so that all traffic must flow between the anchor controller and the foreign controllers, ACLs that filter on the source or destination of the controller address could be added to the firewalls. In addition, rules allowing UDP port or inter-controller communication and UDP port 97 for Ethernet in IP traffic could be added. Using a topology that would allow the firewall to protect the anchor controller from outside attacks is a possibility as well. Because the anchor controller is placed in the DMZ, it is recommended that it be dedicated to guest access only and not used for providing wireless access to the corporate network. Page 2

4 Guest access points do not have to be joined to the anchor controller. The most cost effective controller to use is the Cisco 4402 series controller. This controller can support up to 40 connections to foreign controllers, 2500 guest clients and provide two gigabits of forwarding capacity. For management of the controller, the rules for the following ports may need to be added: TCP 161 and 162 for SNMP UDP 69 for TFTP TCP 80 or 443 for HTTP, or HTTPS for GUI access (default is HTTPS) TCP 23 or 22 for Telnet, or SSH for CLI access (default is SSH) DHCP Services The first point at which DHCP can be applied is at the anchor controller. The anchor controller can be configured to provide DHCP services to the clients or can be configured to point to an external DHCP server using a configured DHCP relay address. Routing All guest traffic enters the network at the anchor controller. If the trunk port on the anchor controller is connected directly to an interface on the Internet border router, the gateway address of the clients will be the IP address of the router interface. If the trunk port of the anchor controller is connected to the firewall, the gateway address of the guest clients will be the IP address of the firewall interface. For incoming traffic to the guest client, the guest VLAN is seen as a directly connected network and advertised by the network as such. Anchor Controller Redundancy More than one controller can be designated as an anchor controller for the Guest SSID. In this configuration, the foreign controller will alternate between the controllers on a per user basis. The foreign controller will continuously ping the anchor controllers to verify connectivity. If an anchor controller becomes unreachable, the foreign controller will disassociate any wireless clients connected to the unreachable anchor and reassociate them to an alternate anchor controller. If web authentication is being used, the clients will be presented with the log-in screen and must re-enter their credentials. Web Portal Authentication There is a built-in web portal that can be used to request log-in credentials from a guest. This portal offers simple branding capabilities and is able to display an acceptable use policy. This web portal is available on any WLAN configured for web authentication. It is possible to import a more customized page to be stored locally on the controller or to redirect the guest client to an external web server. When using web authentication, the guest user is redirected to the web authentication page when they open a web browser session. The guest user requests a DNS lookup for his or her homepage or other URL. The DNS response is redirected to either the log-in or acceptance page. Upon entering the correct credentials or accepting the acceptable use credentials is pass-through mode, the user is redirected to either his or her original DNS request or to a web page that he or she chooses. Page 3

5 In order for web authentication to work, the guest must open a browser that can be resolved by the DNS server and be to a URL that accepts the default HTTP port 80. Guest Credentials The WLAN controllers have a lobby ambassador management account that can be created by the network administrator that restricts access to the creation and managing of guest credentials. This account can only create accounts for WLANs that have been created by the network administrator that provide web authentication. The user s name is entered into the local database as a guest user and a lifetime is set. When the lifetime of the username ends, it is automatically deleted from the controller. The Cisco WCS also supports a lobby ambassador account. When using the WCS, the lobby ambassador can apply the user account to multiple WLAN controllers using a WCS template. It also allows the lobby ambassador to create accounts prior to the guest s arrival. When using this template, the lobby ambassador can create not only a start and end date, but restrict the number of hours each day the account is available. In addition, this information can be configured to new credentials each day to guests who are visiting over multiple days. This template also allows the guest access to be limited to specific campuses, buildings and floors. When using the lobby ambassador, the guest accounts are stored on the anchor controller for WLANs or guest LANs that are configured for web authentication. Configuring the WLAN Controllers for Guest Access: Step-by-Step Instructions The following tasks need to be accomplished to create guest access: 1. Create a mobility group that includes the anchor controller and all the foreign controllers that will connect to it. 2. Configure the controllers with the interface that will provide access to the Internet. If you are using a wired guest LAN, you will need to create a guest interface on each of the controllers. 3. Create a WLAN or Guest wired LAN on the foreign and anchor controllers that use web authentication. 4. Create a lobby ambassador account on the controller or on the WCS. Create the guest accounts. To create a mobility group, each controller must be configured with the following: 1. All controllers must be configured for the same LWAPP transport mode (Layer 2 or Layer 3) 2. Each controller must be able to reach the management interface of all other controllers in the mobility group via IP. 3. All controllers must have the same mobility group name. 4. All controllers must be running the same version of controller software. 5. All controllers must be configured with the same virtual interface IP address. Each controller must be configured with the IP address and MAC address of all the other controllers in the mobility group. Page 4

6 To configure the controllers with the interface that will provide access to the Internet, do the following: 1. Create a new dynamic interface. When creating the new dynamic interface, enter the name and VLAN ID. 2. Now add the following: a. VLAN Identifier b. Fixed IP address, IP network mask and default gateway. c. Physical port assignment. (Not necessary if Link Aggregation has been configured on the controller.) d. Primary and secondary DHCP servers. Access control list name if ACLs have been defined for the interface. To create a guest WLAN, complete the following: (Note It is assumed that the WLAN will provide web authentication and no data encryption.) 1. Create a WLAN on the controllers. Give it a name and SSID that you wish to use for guest access. 2. Under the General Tab: a. Select the Enabled box for Status. b. Select the Radio Policy, a/n, b/g/n or all Select the Interface you created for guest access. Under the Security Tab, select Layer 3 Security and select the Web Policy check box and the authentication option. To enable the anchor controller, choose the guest SSID you have created and select the controller that will be the anchor controller. More than one controller can be chosen. To create a Guest LAN for wired access, complete the following: 1. Create an interface on the controllers and designate it as a Guest LAN. This will restrict this interface to ingress into the controller. Wired guest ports should be assigned to this VLAN. 2. Create a Wired LAN in the WLAN configuration area. Give it a name and SSID that you wish to use for guest access. 3. Under the General Tab: a. Select the Enabled box for Status. b. Choose the Guest WLAN you created as the Ingress Interface. c. Choose the interface you created for guest access as the Egress Interface. Web authentication is the default security policy To enable the anchor controller, choose the Wired LAN you have created and select the controller that will be the anchor controller. More than one controller can be chosen. For further reference to design and configuration for WLAN controllers, refer to the Cisco Enterprise Mobility 4.1 Design Guide available at Page 5

7 About the Author Marcus Jones is the Senior Wireless Training Specialist at GigaWave Technologies. Marcus has over 25 years experience in data communications with more than 12 years in wireless data communications. Marcus joined GigaWave Technologies in July 2000, and has trained Cisco Employees, Cisco distributors, Cisco premier partners, Cisco resellers and Cisco end-users. He holds a CCSI, CCNA and CWNA. Suggested Cisco Unified Wireless Courses and Technical Training Cisco Unified Wireless Networking (CUWN) The Cisco Unified Wireless Networking (CUWN) course covers the design, install, configure, and maintain a wireless network both as an add-on to an existing wireless LAN and as a new Cisco Unified Wireless Network solution. For a detailed course description and current training schedule, visit About GigaWave Technologies GigaWave Technologies offers innovative wireless networking workshops for IT professionals who want to know how to design, install, secure or sell high performance Wireless Local Area Network (WLAN) and bridging technologies. As a leading provider of WLAN training, curriculum development and wireless services, GigaWave provides its trademark, high-caliber, hands-on training techniques to progressive organizations across the globe. GigaWave specializes in wireless networking and has attained an unrivaled level of WLAN expertise. As an authorized Cisco Learning Partner, GigaWave Technologies develops and delivers the Cisco wireless networking classes. For the most current training schedule and to view full course descriptions, go to or call GigaWave is a division TESSCO Technologies. About TESSCO TESSCO Technologies Incorporated is a provider of the product and supply chain solutions needed to build, operate and use wireless systems. TESSCO is committed to delivering, fast and complete, the product needs of wireless system operators, program managers, contractors, resellers, and self-maintained utility, transportation, enterprise and government organizations. As Your Total Source provider of mobile and fixed-wireless network infrastructure products, mobile devices and accessories, and installation, test and maintenance equipment and supplies, TESSCO assures customers of on-time availability, while streamlining their supply chain process and lowering inventories and total costs. To learn more, please visit Gulfdale San Antonio, Texas Phone Fax info@giga-wave.com Page 6