Designing Unified Guest Access, Wired and Wireless BRKEWN-2016

1

Designing Unified Guest Access, Wired and Wireless BRKEWN-2016

Agenda Overview : Guest Access as a Supplementary User Authentication Wireless Guest Access Control & Path Isolation Wired Guest Access Control & Path Isolation Guest Authentication Portal Guest Provisioning Monitoring & Reporting 3

Guest Access Overview

Evolution of Network Access Age of the Borderless Network Health Location Time Access Method... Mobile Workers Personal Devices VPN Hotspot VPN Employee (Sales) Managed Desktop? Printer (Payroll) Internet VPN Security Systems Employee (Finance) Managed Desktop? Employee (Sales) Managed Desktop? Printer (Sales) Branch Network Campus Network Internal Resources Guest Wireless Employee IP Camera Guest Game Console Contractor Wireless Employee 5

Context-Based Access Who = User Identity Known/Managed Users (Long-term) Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors Primary Auth Methods: 802.1X or Agent-based Considerations: Identity Stores EAP types and supplicant Unknown/Unmanaged Users (Temporary or Infrequent Access) Examples: Guests, Visitors, Short-term Partners/Contractors Primary Auth Method: Web authentication Considerations: Web Redirection and Authentication Portals Guest Provisioning and Identity Stores 6

Corporate vs Guests Employee 1 EAP Authentication ISE CAPWAP 2 Accept with VLAN 30 4 Accept with GUEST ACL VLAN 30 Corporate Resources Guest Device 3 Web Auth 802.1Q Trunk VLAN 50 Internet Users with Corporate Devices with their AD user id can be assigned to Employee VLAN Guests authenticate via Web Auth and are assigned to a GUEST-ACL on the Guest VLAN 7

Requirements for Secure Guest Access Technical No access until authorized Guest traffic should be segregated from the internal network Web-based authentication Full auditing of location, MAC, IP address, username Overlay onto existing enterprise network Bandwidth and QoS management Usability Monitoring No laptop reconfiguration, no client software required Plug & Play Splash screens and web content can differ by location Easy administration by non-it staff Guest network must be free or cost-effective and non-disruptive Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted Logging and Monitoring Must not require guest desktop software or configuration 8

Guest Access Components Guest Customizable Login Page 802.1X/MAB Compatibility Flexible Access Policies Centralized Web Page Management Flexible Sponsored Access Guest Policies Credentials Centralized Accounting Centralized Web Page Management Sponsored Guest NAC Guest Server Credentials Parity for Wired / Wireless ACS 5.1 Centralized Accounting Employee Enterprise Directory Existing Credential Stores Integrated Access Authentication 9

Wireless Guest Access Control & Path Isolation

Access Control End-to-End Wireless Traffic Isolation The fact Traffic isolation achieved via LWAPP/CAPWAP valid from the AP to the WLAN Controller The challenge How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications? CAPWAP LWAPP/CAPWAP APs CAPWAP CAPWAP AP 11

Path Isolation Why Do We Need It for Guest Access? Extend traffic logical isolation end-to-end over L3 network domain Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, bandwidth, etc.) Securely transport the guest traffic across the internal network infrastructure to DMZ CAPWAP CAPWAP 12

Guest Access Control Cisco WLAN Controller Deployments LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame) Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs WiSM Wireless VLANs WLAN Controller Control and data traffic tunneled to the controller via LWAPP/CAPWAP: data uses UDP 12222/5247 control uses UDP 12223/5246 LWAPP/CAPWAP Si Campus Core LWAPP/CAPWAP Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID Si Si Traffic isolation provided by VLANs is valid up to the switch where the controller is connected LWAPP Lightweight Access Point Protocol CAPWAP - Control And Provisioning of Wireless Access Points Guest Emp Guest Emp 13

Solution #1: Path Isolation using EoIP WLAN Controller Deployments with EoIP Tunnel Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guest s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2100/2500 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC Cisco ASA Firewall EoIP Guest Tunnel CAPWAP Guests Internet Wireless LAN Controller DMZ or Anchor Wireless Controller 14

Guest Network Redundancy Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive Once an Anchor WLC failure is detected a DEAUTH is send to the client Remote WLC will keep on monitoring the Anchor WLC Under normal conditions round-robin fashion is used to balance clients between Anchor WLCs Primary Link Redundant Link EtherIP Guest Tunnel F1 CAPWAP Secure Si Internet Si Campus Core Wireless VLANs Secure Si Guest VLAN 10.10.60.x/24 Management 10.10.80.3 A1 Management 10.10.75.2 CAPWAP A2 Management 10.10.76.2 EtherIP Guest Tunnel Guest Secure Guest Secure 15

Implementing Guest Path Isolation Using WLC Building the EoIP Tunnel 1. Specify a mobility group for each WLC 2. Open ports for: Inter-Controller Tunneled Client Data Inter-Controller Control Traffic EoIP tunnel protocol Other ports as required 3. Create Guest VLAN on Anchor controller(s) 4. Create identical WLANs on the Remote and Anchor controllers 5. Configure the mobility groups and add the MAC-address and IP address of the remote WLC 6. Create the Mobility Anchor for the Guest WLAN 7. Modify the timers in the WLCs 8. Check the status of the Mobility Anchors for the WLAN 16

Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Remote Controller Configuration Anchor and Remote WLCs are configured in different Mobility Groups 17

Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor and Remote Controller Configuration Configure Guest WLANs on the Remote and Anchor controllers Configure Guest VLAN on the Anchor WLC 18

Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor and Remote Controller Configuration Configure the mobility groups and add the MAC-address and IP address of the remote WLCs Anchor Remote 19

Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Remote Controller Configuration Create the mobility anchor for the guest WLAN on Remote WLCs 20

Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor Controller Configuration Create the Mobility Anchor for the guest WLAN on Anchor WLC 21

Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor Controller Modify the timers and DSCP on the Anchor WLCs Check the status of the mobility anchors for the WLAN 22

Guest Path Isolation Firewall Ports and Protocols Open ports in both directions for: EoIP packets IP protocol 97 Mobility UDP Port 16666 Must be Open! Inter-Controller CAPWAP (rel 5.0, 6.0, 7.0+) Data/Control Traffic UDP 5247/5246 Inter-Controller LWAPP (before rel 5.0 ) Data/Control Traffic UDP 12222/12223 Do NOT Open! Optional management/operational protocols: SSH/Telnet TCP Port 22/23 TFTP UDP Port 69 NTP UDP Port 123 SNMP UDP Ports 161 (gets and sets) and 162 (traps) HTTPS/HTTP TCP Port 443/80 Syslog TCP Port 514 RADIUS Auth/Account UDP Port 1812 and 1813 23

Solution #2: Guest Path Isolation using VRF Campus Virtualization Virtual Routing / Forwarding (VRF) or VRF- lite is the L3 virtualization used in Enterprise Campus networks Guest isolation is done by dedicated VRF instances 802.1q, GRE, MPLS/LSP, Physical Int, Others 802.1q or Others Logical or Physical Int (Layer 3) Guest VRF Employee VRF Global Logical or Physical Int (Layer 3) 24

Guest Path Isolation using VRF WLC and VRF Virtualization LWAPP/CAPWAP Path Isolation at Access Layer L2 Path Isolation between WLC and Default Gateway L3 VRF Isolation from WLC to Firewall Guest DMZ interface Wireless LAN Controller CAPWAP Guest Provisioning Isolated L2 VLAN Corporate Intranet Si Corporate Access Layer Inside Guest VRF Internet Outside Guest DMZ L3 Switches with VRF Cisco ASA Firewall Guests Guest VRF Employee VRF Global 25

Wireless Guest Access Deployment Options Summary Internet Internet Internet DMZ WLC LAN NCS LAN NCS LAN EoIP No DMZ WLC Cisco Unified Wireless No DMZ Controller VRF Cisco Unified Wireless VRF DMZ WLC NCS Cisco Unified Wireless DMZ Controller Provisioning Portal Yes Yes Yes User Login Portal Yes Yes Yes Traffic Segmentation VLANs thru Network VRF thru Network Yes Tunnels or VLANs User Policy Management Yes Yes Yes Reporting Yes Yes Yes Overall Functionality Medium High High Overall Design Complexity Medium High Low 26

Wired Guest Access Control & Path Isolation

Unified Wired and Wireless Deployment Wired Guest Access Controller software version 4.2 and above provides one unified solution for both wired and wireless guest access Allows organizations to leverage existing wireless infrastructure to provide guest access on the LAN Universal provisioning interface and captive portal provides ease of guest user provisioning and consistent network access Enables the ability to leverage common guest user policies for both wired and wireless network access 28

Guest Access for Wired LAN Overview Wireless LAN Controllers version 4.2 and above offer Wired Guest Access Wired Guest VLAN must be L2 adjacent with WLC Wired Guest VLAN can be fallback VLAN in 802.1x/EAP authentication on switch Supported on WLC-4400, 5500 series, Catalyst 3750 Wireless and Catalyst 6500 with WiSM Wired Client EtherIP Guest Tunnel Layer-2 Switch CAPWAPP Secure Si Internet Campus Core EtherIP Guest Tunnel CAPWAPP Wireless VLANs Guest Secure Guest Secure Si Secure Si 29

WLC Wired Guest Access with EoIP Wired Guest Access by Wireless LAN Controllers Wired Guest ports provided in designated location and plugged into an Access Switch The configuration on the Access switch puts these ports into wired guest layer 2 VLAN On a single WLAN Controller the Guest VLAN will be trunked into WLC On a multi controller deployment with Auto Anchor mode the guest VLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller Cisco ASA Firewall Isolated L2 VLAN EoIP Tunnel Internet Wireless LAN Controller DMZ or Anchor Wireless LAN Controller Corporate Intranet Wired Guests Wireless Guests 30

Wired Guest Access Deployment Steps Create a dynamic interface as Guest LAN which will be the ingress interface DHCP server information is not required on the ingress interface DHCP server information is required on the egress dynamic interface 31

Wired Guest Access Configuration Create wired WLAN as Guest LAN type 32

Wired Guest Access Configuration Assign the Ingress and Egress Interfaces Ingress interface is the wired guest LAN Egress interface could be the management or any dynamic interface 33

Wireless and Wired Guest Configuration Wireless and wired guest WLAN 34

Wired Guest Access Wired Guest Access Enforcement Point can be delivered in two different locations : Web Authentication on Catalyst Switches Wired Guest Access Feature on Wireless LAN Controllers Wired Guest Access with NAC server and manager Wired Guest Si Catalyst or NAC Authentication Wired Guest Enforcement Point L3 Path Isolation 802.1x Guest VLAN Failover WLC Wired Guest Access @ Open (guest) VLAN L2 Path Isolation 35

Wired Guest L3 Path Isolation with VRF Access using VLAN Isolation Guest Provisioning Internet Web Authentication by Catalyst Switches Wired Guest Isolation with VRF for L3 Isolation Isolated L2 VLAN Corporate Intranet Si Inside Guest VRF L3 Switches with VRF Outside Guest DMZ Cisco ASA Firewall Corporate Access Layer Wired Guest Guest VRF Employee VRF Global 36

WLC Wired Guest Access Deployment Considerations Five Guest-LANs for wired guest access are supported Admin can create wired guest VLANs on the WLC and associate it with the guest LAN Web-auth is the default security on a wired guest LAN, but open and web pass-thru can also be used No L2 security like 802.1x is supported Multicast and broadcast traffic are dropped on wired guest VLANs to reduce the load on the overall network Wired guest access is supported on a single guest WLC or on a Anchor-Foreign Guest WLC scenario 37

Architecture Summary Wireless is the preferred Guest Access technology because it provides no Physical connectivity to corporate network. Wired Guest Access can be delivered by Catalyst Switches or Wireless LAN Controller. Anchor Controller in DMZ allow for full Path Isolation from Access Point to DMZ. VRF can be used for L3 Guest Isolation Cisco ASA Firewall provides Internet access security and advanced security features for Guest control 38

Guest Services Portal

When to Use Web-Authentication? 802.1X Managed 802.1X-devices Known users MAB (mac-address bypass) Managed devices Web Auth Users without 802.1X devices Users with Bad credentials SSC SSC Employee Employee (bad credential) 802.1X Web Auth is a supplementary authentication method Guest Most useful when users can t perform or pass 802.1X Primary Use Case: Guest Access Secondary Use Case: Employee who fails 802.1X 40

Guest Authentication Portal Wireless & Wired Guest Authentication Portal is available in 4 modes: Internal (Default Web Authentication Pages) Customized (Downloaded Customized Web Pages) External Using ISE Guest Server External (Re-directed to external server) 41

Wireless Guest Authentication Portal Internal Web Portal Wireless guest user associates to the guest SSID Initiates a browser connection to any website Web login page will displayed Fixed Welcome Text Login Credentials 42

Wireless Guest Authentication Portal Customizable Web Portal Create your own Guest Access Portal web pages Upload the customized web page to the WLC Configure the WLC to use customizable web portal Customized WebAuth bundle up to 5 Mb in size can contain 22 login pages (16 WLANs, 5 Wired LANs and 1 Global) 22 login failure pages (in WLC 5.0 and up ) 22 login successful pages (in WLC 5.0 and up) 43

Wireless Guest Authentication Portal External Web Portal Set in WLC > Security > WebAuth > Login Or override at Guest WLAN Option to use Pre-Auth ACL 44

Wired Guest Authentication Portal Catalyst Switches Internal Web Portal Wired Auth-Proxy Banner Configurable Welcome Text from IOS config Welcome Text (config)#ip admission auth-proxy-banner http ^C Here is what the auth-proxy-banner looks like ^C Login Credentials 45

Wired Guest Authentication Portal Catalyst Switches Customizable Web Portal Configurable HTML Pages on bootflash: 4 Pages / 8KB each : login, success, expired, failure Images must be embedded or external 4 files, 8KB max each (config)#ip admission proxy http login expired page file bootflash:expired.html (config)#ip admission proxy http login page file bootflash:login.html (config)#ip admission proxy http success page file bootflash:success.html (config)#ip admission proxy http failure page file bootflash:fail.html Completely Customizable 46

Centralized Wireless & Wired Guest Portal ISE Guest Server Multi-Function Standalone/Distributed Appliance Customizable Multi-Portal Hosting Sponsored Guest Access Provisioning, Verification, Management 47

Wireless Guest Centralized Login Page 1) Administrator Creates WLAN Login Page on ISE 2) Wireless Guest Opens Web browser 3) Web traffic is intercepted by Wireless LAN Controller and redirected to Guest Server. 4) Guest Server returns centralized login page (2) (3) Redirect (1) AP WLC (4) ISE 48

Wired Guest Looks Exactly the Same as Wireless 1) Administrator Creates Wired Login Page on ISE 2) Wired guest opens Web browser 3) Web traffic is intercepted by switch and redirected to Guest Server. 4) Guest Server returns centralized login page (2) (3) Redirect (1) Switch (4) ISE 49

Authentication and Authorization Still Local 1) Administrator Creates Wired Login Page on ISE 2) Wired guest opens Web browser 3) Web traffic is intercepted by switch and redirected to Guest Server. 4) Guest Server returns centralized login page 5) Guest submits credentials to switch 6) Switch authenticates credentials & controls access (2) (3) (1) (5) POST to switch: username, pwd Switch (6) Authentication Access Control (4) ISE 50

Guest Services Provisioning

Requirements for Guest Provisioning Might be performed by non-it user Must deliver basic features, but might also require advanced features: Duration, Start/End Time, Bulk provisioning, Provisioning Strategies : Lobby Ambassador Employees 52

Multiple Guest Provisioning Services Cisco Guest Access Solution support several provisioning tools, with different feature richness. Included in Cisco Wireless LAN Solution Cisco Prime Network Control System Cisco Identity Services Engine Dedicated Provisioning Customer Server Customized Provisioning Cisco Wireless LAN Control Advanced Provisioning Customer Development Basic Provisioning Additional Cisco Product 53

Guest Provisioning Service : WLC Cisco Wireless LAN Controller Lobby Ambassador accounts can be created directly on Wireless LAN Controllers Lobby Ambassadors have limited guest feature and must create the user directly on WLC: Create Guest User up to 2048 entries Set time limitation up to 35 weeks Set Guest SSID Set QoS Profile 54

Guest Provisioning Service Create the Lobby Admin in WLC Lobby administrator can be created in WLC directly 55

Local WLC Guest Management Password is Created Quickly Create Guest with Time and WLAN Profile Guest Web Login 56

Guest Provisioning Service : NCS Cisco Prime Network Control System NCS offer specific Lobby Ambassador access for Guest management only Lobby Ambassador accounts can be created directly on NCS, or be defined on external RADIUS/TACACS+ servers Lobby Ambassadors on NCS are able to create guest accounts with advanced features like: Start/End time and date, duration, Bulk provisioning, Set QoS Profiles, Set access based on WLC, Access Points or Location 57

Guest Provisioning Service Lobby Ambassador Feature in NCS Associate the lobby admin with Profile and Location specific information 58

Guest Provisioning Service Add a Guest User with NCS 59

Guest Provisioning Service Print/E-Mail Details of Guest User 60

Guest Provisioning Service Schedule a Guest User 61

Cisco TrustSec Guest Services

Context Awareness: ISE Guest Management ISE Guest Service for Managing Guests Guest Policy Web Authentication Internet Wireless or Wired Access Guests Internet-Only Access Provision: Guest Accounts via Sponsor Portal Manage: Sponsor Privileges, Guest Accounts and Policies, Guest Portal Notify: Guests of Account Details by Print, Email, or SMS Report: On All Aspects of Guest Accounts 63

Cisco ISE Guest Server ISE Configuration 1. IT Administrator configures ISE: Sponsor or Lobby Admin access rights Add WLC in ISE Configure security/policy rules 2. IT Admin configures WLC to use Cisco ISE: Define Guest SSID Associate ISE as RADIUS Server IT Admin Network/Solution Mgt 2 1 Guest Visitor, Contractor, Customer Lobby Ambassador Employee Sponsor Corporate Network ISE Guest Server Lobby Ambassador Portal Guest Account Database Monitoring & reporting Wireless LAN Controller Policy Enforcement Guest Web Portal Internet 64

ISE Sponsored Guests Sponsor Portal Customizable Web Portal for Sponsors as well Authenticate Sponsors with corporate credentials Local Database Active Directory LDAP RADIUS Kerberos 65

Guest Portal Localization Several Languages are Supported Natively in ISE 1.1 All guest user pages are translated: Authentication page Acceptable usage policy Success/failure page 66

Cisco ISE Guest Server Guest User Creation Lobby Ambassador Employee Sponsor 1. Sponsor creates Guest Account through dedicated ISE server 2. Credentials are delivered to Guest by print, email or SMS 3. Guest Authentication on Guest portal 4. RADIUS Request from WLC to Cisco ISE Server 5. RADIUS Response with policies (session timeout, ) 2 5 RADIUS Accounting 6 7 RADIUS Requests 4 Corporate Network 1 ISE Guest Server Lobby Ambassador Portal Guest Account Database Monitoring & reporting Wireless LAN Controller Policy Enforcement Guest Web Portal Internet 6. RADIUS Accounting with session information (time, login, IP, MAC, ) 3 7. Traffic can go through Guest Visitor, Contractor, Customer 67

ISE Sponsored Guest URL-REDIRECT ISE Guest Server 1. Guest is re-directed to the ISE Guest Portal when Browser is launched. 2. Guest enters the credentials created by the Sponsor GUEST Identity Store 3. Account is verified on ISE decision point against the Guest User Identity Store 68

ISE Self-Registration ISE Guest Server 4. Guest is re-directed again to login again with auto generated username/ password. Internet 6. Account is monitored via the timed profile settings. 5. Guest is provisioned with Authorization Policy for Web Access Only GUEST Identity Store 69

ISE Guest User Portal Settings Guest Portals define what Guests Users will be allowed to perform Guests can change password Guests change password at first login Guests can be allowed to download the posture client Guests can do self service Guests can be allowed to do device registration 70

Cisco ISE Guest Server Sponsor Authentication: Local Account/AD Assign user / group to Sponsor Integrate with Active Directory Order Priority Sequence to AD > Internal 71

Cisco ISE Guest Server Guest Portal Customization Multi-Portal Policies Username Policy Password Policy Localization Time Profiles 72

Cisco ISE Guest Server Sponsor Portal https://<ise-server-ip>:8443/sponsorportal/ 73

Cisco ISE Guest Server Sponsor Guest Account Creation Create/View/Modify Guest Accounts Personal Settings Tools to Manage Guest Accounts Email / Print / SMS 74

Web Authentication Need something to intercept browser requests to provide captive portal and/or redirection to local or remote web auth portal Access Devices/Gateways Wired switch Wireless controller Inline Security Device/Appliances Dedicated NAC appliance Firewalls Web security gateways ISE Provides: Centralized and customizable Web authentication portal Both employee and guest auth supported Tunable username and password policies Support print, email, SMS guest notifications 75

Web Auth and Guest Access Wireless Considerations WLC 7.0 Supports LWA; 7.2 adds CWA support ISE Guest Services requires account activation; Initial web auth must be against ISE guest portal (LWA or CWA). As a result o Requires ISE be the web auth portal for LWA; No support for hosting guest portal on WLC o For anchor controller deployments, requires pinhole through DMZ firewall back to ISE PSN on tcp/8443 from guest IP address pool. 76

Web Auth and Guest Access LWA vs CWA piggybacks on MAB authentication policy rule. Configure: If User Not Found = Continue (default Reject) If MAC address lookup fails, reject the request and send access-reject. If MAC address lookup returns no result, continue the process and move to authorization 77

URL Redirection Example: TCP Traffic Flow for Login Page User opens browser TCP port 80 SYN SYN-ACK ACK HTTP GET Redirect: HTTP Login Page Username, Password HTTP GET http://www.google.com http://www.google.com Access VLAN Switch responds with source IP of requested destination Host Access Switch 78

URL Redirection Central Web Auth, Client Provisioning, Posture Redirect URL: For CWA, Client Provisioning, and Posture, URL value returned as a Cisco AV-pair RADIUS attribute. Ex: cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?sessionid=sessionidvalue&action=cwa Redirect ACL: Access devices must be locally configured with ACL that specifies traffic to be permitted (= redirected) or denied (= bypass redirection) ACL value returned as a named ACL on NAD Ex: cisco:cisco-av-pair=url-redirect-acl=acl-posture-redirect ACL entries define traffic subject to redirection (permit) and traffic to bypass redirection (deny) Port ACL: ACL applied to the port (default ACL, dacl, named ACL) that defines traffic allowed through port prior to redirection 79

Guest Access with Anchor Controller Firewall must allow tcp/8443 from Guest IP pool to ISE PSN Cisco Wireless LAN Controller DMZ WLAN Anchor Controller ISE Policy Services 80

FlexConnect and External WebAuth URL/ACL Radius Auth WAN ISE for external webauth with FlexConnect central authentication with local switching. Guest client is provided with URL/ACL permit to ISE Clients does webauth with ISE Guest moves to local switching URL/ACL Branch Radius Auth Webauth VLAN Assignment 81

Wireless 802.1X Configuration URL Redirect ACL (Simple) Permit ping and DNS anywhere, and IP to ISE Optionally include access to remediation servers 82

Wireless 802.1X Configuration URL Redirect ACL (Detailed) Permit ping anywhere, DNS to name server, and TCP/8443 (optionally TCP/8080), TCP/8905, UDP/8905 to ISE 83

Common URLs for Redirection URL Redirect for Central Web Auth Cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?sessionid=sessionidvalue&action=cwa URL Redirect for Client Provisioning and Posture Cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?sessionid=sessionidvalue&action=cpp URL Redirect ACL Cisco:cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT LWA URL for Default ISE Guest Portal: https://ip:8443/guestportal/portal.jsp LWA URL for Custom ISE Guest Portal: https://ip:8443/guestportal/portals/clientportalname/portal.jsp CWA URL redirect for Custom ISE Guest Portal: Cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?portal=clientportalname&sessionid =SessionIdValue&action=cwa 84

Guest Monitoring, Reporting and Troubleshooting

Live Guest Verification - ISE Monitor > Operations > Authentications window will show all Authentications including Guests Identity and Authorization can be found for Guests 86

Guest Monitoring - NCS Monitor > Clients and Users window will show all Authentications including Guests Identity and Authorization can be found for Guests 87

Guest Monitoring - ISE Monitor > Operations > Authentications window will show all Authentications including Guests Identity and Authorization can be found for Guests 88

Aggregation of Guest Information Internet ISE Aggregate Guest Reporting Information From WLC (RADIUS Accounting) : login, start/stop time, MAC@, Source IP@ From ASA (syslog) : Destination IP@/ports, URL logging, Cisco ASA Firewall Syslog ISE RADIUS Guest Server Corporate Intranet Wireless Guest Wireless LAN Controller ntp server 192.168.215.62 DMZ or Anchor Wireless LAN Controller policy-map global_policy class inspection_default inspect http! service-policy global_policy global logging enable logging timestamp logging list WebLogging message 304001 logging trap WebLogging logging facility 21 logging host inside 192.168.215.16 89

Guest Activity Reporting - ISE Guest Reports Drill Down Guest Detail 90

Guest Activity Reporting - NCS Customized Profile and Scheduling Variable Reporting Periods 91

Cisco TrustSec Guest Posture

Posture Assessment Leveraging the NAC Agent Additional Information is Learned Through Posture Posture Posture = the state-of-compliance with the company s security policy. Is the system running the current Windows Patches? Anti-Virus Installed? Is it Up-to-Date? Anti-Spyware Installed? Is it Up-to-Date? Now we can extend the user / system Identity to include their Posture Status. What can be checked? AV/AS, Registry, Files, Application / Process, Windows updates, WSUS and more. If not compliant Auto remediation, alert, download file NAC Agent (persistent) and Web Agent (Temporal) support 93

ISE Posture Policies Employee Policy: Microsoft patches updated McAfee AV installed, running, and current Corp asset checks Enterprise application running Contractor Policy: Any AV installed, running, and current Guest Policy: Accept AUP (No posture - Internet Only) Wired VPN Wireless Employees Contractors/Guests 94

LWA with Posture Supported in Open Authentication LWA Web-auth supports L3 authentication. WLC serves Login web page, sends username/password to ISE. Client posture is supported. Guest 1 3 5 7 9 Associate to Guest, http://www.cisco.com Redirect ISE WebPortal 2 Connect to ISE; action URL=WLC login, original URL= http://www.cisco.com WLC Login page 4 Username/password to ISE Login success Redirect: http://posture page 6 Download Web Agent; Posture Validate and Remediation if necessary CoA policy push ACL Get http://www.cisco.com 8 Authenticated Posture unknown Determine if Web Agent is necessary Posture compliant 95

CWA with Posture Open authentication, with ISE performing CWA Web-auth will happen on ISE, serves login page and verifies client credentials Client posture is supported. Guest 1 3 5 7 9 Associate to Guest, http://www.cisco.com Redirect ISE WebPortal 2 Connect to ISE login, original URL= http://www.cisco.com ISE Login page 4 ISE verify Username/password Login success Redirect: http://posture page 6 Download Web Agent; Posture Validate and Remediation if necessary CoA policy push ACL Get http://www.cisco.com 8 Authenticated Posture unknown Determine if Web Agent is necessary Posture compliant 96

Sample Redirect ACL for CWA 2k/3k/4k Example ip access-list extended ACL-WEBAUTH-REDIRECT deny udp any eq bootpc any eq bootpc deny udp any any eq domain deny deny tcp any host <PSN1> eq 8443 permit permit ip any any = Bypass Redirection = Redirect 6k Example ip access-list extended ACL-WEBAUTH-REDIRECT deny ip any host <PSN1> permit ip any any 97

Sample ACLs for CWA Redirection ip access-list extended ACL-DEFAULT permit udp any eq bootpc any eq bootps permit udp any any eq domain permit tcp any any eq http permit tcp any any eq https permit tcp any host 10.1.1.100 eq 8080 permit tcp any host 10.1.1.100 eq 8443ww (deny ip any any) Port ACL / dacl ip access-list extended ACL-WEBAUTH-REDIRECT deny udp any eq bootpc any eq bootps deny udp any any eq domain deny tcp any host 10.1.1.100 eq 8080 deny tcp any host 10.1.1.100 eq 8443 permit ip any any Redirect ACL DHCP x.x.x.x DNS x.x.x.x SSH x.x.x.x FTP x.x.x.x HTTP x.x.x.x 302: TCP/8443 10.1.1.100 HTTPS x.x.x.x 302: TCP/8443 10.1.1.100 TCP/8443 10.1.1.100 TCP/8443 10.1.1.100 98

Sample ACLs for Posture Redirection ip access-list extended ACL-DEFAULT permit udp any eq bootpc any eq bootps permit udp any any eq domain permit tcp any any eq http permit tcp any any eq https permit udp any host 10.1.1.100 eq 8905 permit tcp any host 10.1.1.100 eq 8080 permit tcp any host 10.1.1.100 eq 8443 permit tcp any host 10.1.1.100 eq 8905 permit tcp any host 192.168.1.200 eq www (deny ip any any) DHCP x.x.x.x DNS x.x.x.x SSH x.x.x.x FTP x.x.x.x HTTP x.x.x.x 302: TCP/8443 10.1.1.100 HTTPS x.x.x.x 302: TCP/8443 10.1.1.100 TCP/8443 10.1.1.100 TCP/8905 10.1.1.100 UDP/8905 10.1.1.100 HTTP 192.168.1.200 Port ACL or dacl ip access-list extended ACL-POSTURE-REDIRECT deny udp any eq bootpc any eq bootps deny udp any any eq domain deny udp any host 10.1.1.100 eq 8905 deny tcp any host 10.1.1.100 eq 8080 deny tcp any host 10.1.1.100 eq 8443 deny tcp any host 10.1.1.100 eq 8905 deny tcp any host 192.168.1.200 eq www permit ip any any Redirect ACL TCP/8443 TCP/8905 UDP/8905 10.1.1.100 192.168.1.200 99

Troubleshooting Redirection Verify IOS code release and feature set! # show authentication session interface <int> o o o o Does the IP address display? Verify device tracking table entry. Is the session ID matching? Is the dacl downloaded, if applicable? Is the Redirect ACL applied? If so, verify contents on local switch # show ip access-list interface <int> o Is the access list properly applied to the client IP address per above? If not Verify that endpoint has an IP address Verify dacl contents in ISE ISE may show dacl authorization applied but switch rejects if ANY syntax error Access switch without SVIs for local access VLANs (common L2 case) o Is there a route from Management VLAN to client VLAN? o Is firewall dropping redirects sourced from Management VLAN? o Are dacls disappearing? If so, does host respond to ARP probes from 0.0.0.0? Switch(config-if)# ip device tracking probe use-svi Related defects: CSCtn27420, CSCtl94012, CSCtr26069 100

Troubleshooting Redirection Separate Voice Authorization 3k-access(config-if)# do sh ip access-list int gi0/1 permit ip host 10.1.40.100 any permit udp host 10.1.10.101 any eq domain permit tcp host 10.1.10.101 host 10.1.100.21 eq 8443 permit tcp host 10.1.10.101 any eq www permit tcp host 10.1.10.101 any eq 443 permit tcp host 10.1.10.101 host 10.1.100.21 eq 8905 permit udp host 10.1.10.101 host 10.1.100.21 eq 8905 permit tcp host 10.1.10.101 host 10.1.252.21 eq www 101

ISE Integrated Troubleshooting Audit Network Device Configuration Are my switchports properly configured to support 802.1X, MAB, and Web Authentication per Cisco best practices? Is my switch properly configured to support AAA and other ISE services including Posture, Profiling, and Logging? 102

Summary

From Wireless Guest Access Sponsored Guest Guest Wireless LAN Controller Network Control System 104

to Unified Wired & Wireless Guest Access Sponsored Guest ISE Guest Server Guest Parity for Wired / WLAN 105

What We Have Covered What Guest Access Services are made of. The need for a secured infrastructure to support isolated Guest traffic. Unified Wireless is a key component of this infrastructure. The Guest Service components are integrated in Cisco Wired and Wireless Solution. Guest Access is one of the User Access Policy available to Control and Protect enterprise Borderless Network Cisco TrustSec enhances Guest Services overall. 106

BRKEWN-2016 Recommended Reading 107

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com. 108

Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscolive365.com after the event for updated PDFs, on-demand session videos, networking, and more! Follow Cisco Live! using social media: Facebook: https://www.facebook.com/ciscoliveus Twitter: https://twitter.com/#!/ciscolive LinkedIn Group: http://linkd.in/ciscoli 109

Presentation_ID

111