deploying wireless -...
TRANSCRIPT
![Page 1: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/1.jpg)
![Page 2: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/2.jpg)
Deploying WirelessGuest Access and BYOD
Scott Lee-Guard, Systems Engineer, Enterprise Networks
![Page 3: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/3.jpg)
• Overview of Guest Access
• Guest Access Control & Path Isolation
• High Availability for Guest Access
• Sleeping Clients
• Guest Services Portals
• Local Web Auth (LWA) vs External Web Auth (EWA)
• WLC, ISE Guest, CMX Connect
• Guest User Provisioning
• Monitoring & Reporting
Agenda
![Page 4: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/4.jpg)
Overview:Guest Access
![Page 5: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/5.jpg)
How do we define Guest Access?
• Is it via a WiFi Hotspot?
• Does it require login?
• With a username andpassword?
• Is it Self Registration?
Or Corporate Access?
Or just a 'Secret Code"?
Or via a Social Media?
Or is access sponsored by an employee?
The answer is YES
• Are you required to agree to an Acceptable Use Policy (AUP)?
![Page 6: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/6.jpg)
Flashback: Wireless Access at CiscoLive! 2015
![Page 7: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/7.jpg)
Flashback #2: 5:00am yesterday morning…
![Page 8: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/8.jpg)
Requirements for Secure Guest Access
• No access until authorised
• Guest traffic should be segregated from the internal network
• Web-based authentication
• Bandwidth and QoS management
• Overlay onto existing enterprise network
• No device reconfiguration, no client software required “Plug & Play”
• Easy administration by non-IT staff
• Splash screens and web content can differ by location
• “Guest network” must be free or cost-effective and non-disruptive
• Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP)
• Logging & Monitoring: Auditing of location, MAC, IP address, username
Technical
Usability
Monitoring
![Page 9: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/9.jpg)
Why Web Authentication?
• 802.1X
• Certificates, AD credentials
• Good for managed devices and known users
• MAC Authentication Bypass (MAB)
• Managed devices with NO 802.1X capability or user input
• WPA2 PSK
• No individual identity, easily well-known/no rotating keys
• Web Authentication
• Supplementary authentication method vs OPEN network
• Unmanaged devices
• Allows web redirect (AUP/Legal)
802.1X
Guest
Employee
![Page 10: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/10.jpg)
Cisco Unified Access Architecture
Employee Guest
Access Points
Access Switch
Distribution Switch
Prime Infrastructure
Mobility Controller
Identity Services Engine
Mobility Services Engine
![Page 11: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/11.jpg)
Wireless Guest Access Control & Path Isolation
![Page 12: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/12.jpg)
End-to-End Guest Traffic Isolation
• The Fact:
• Traffic isolation achieved via CAPWAP tunnel from the AP to the WLAN Controller
• The Challenge:
• How to provide end-to-end wireless guest traffic isolation?
• Allowing internet access but preventing any other communications
• Why We Need it for Guest Access:
• Extend traffic logical isolation end-to-end over L3 network domain
• Separate and differentiate the guest traffic from the corporate traffic
• Securely transport the guest traffic to DMZ
![Page 13: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/13.jpg)
Guest Traffic Isolation – Build Another Tunnel
• First hop AP to WLC still via a CAPWAP tunnel
• Tunnel Guest traffic to an Anchor WLC in the DMZ
• This "first stop" WLC is now called the Foreign WLC
Guest
Employee
Foreign WLC Anchor WLC
WLC
DMZCorporate Network
![Page 14: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/14.jpg)
Centralised Guest Anchor Controller (GA)
• Wireless Guests assigned IP address in DMZ
• Point of Presence “POP”
• Simple aggregation to DMZ
• Leverage Firewall and Web Filtering
• Use of up to 71 Anchor tunnels
• WebAuth controls at Guest Anchor
• Security controls
• Pre-Auth ACL, AAA override, QoS, AVC, Session-Timeout, etc
![Page 15: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/15.jpg)
Guest Path Isolation – Building the Tunnel
1. Specify a mobility group for each WLC
2. Open ports for:
i. Inter-Controller Tunneled Client Data
ii. Inter-Controller Control Traffic
iii. EoIP/CAPWAP tunnel protocol
iv. Other ports as required
3. Configure the mobility groups and add the MAC-address and IP address of the foreign WLC
4. Check the status of the Mobility Anchors for the WLAN
5. Create Guest VLAN on Anchor controller(s)
6. Configure identical WLANs on the Foreign and Anchor controllers
7. Configure the Mobility Anchor for the Guest WLAN
![Page 16: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/16.jpg)
Guest Path Isolation – Ports and Protocols
• Open in both directions for:
• Optional management / operational protocols:
Description IP/TCP/UDP Open
EoIP packets (Classic Mobility Anchor) IP Protocol 97 MUST be open
Mobility Control & New Mobility Data UDP 16666 MUST be open
Inter-Controller CAPWAP Data/Control Traffic UDP 5247/5246 Do NOT open
SSH/Telnet TCP 22, 23 HTTP/HTTPS TCP 80, 443
TFTP UDP 69 Syslog UDP/TCP 514
NTP UDP 123 RADIUS Auth UDP 1812
SNMP UDP 161, 162 RADIUS Acct UDP 1813
![Page 17: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/17.jpg)
Creating the Tunnel – Mobility Groups
• Anchor and Foreign WLCs are configured in different Mobility Groups
![Page 18: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/18.jpg)
Creating the Tunnel – Anchor to Foreign
• Add foreign WLCs using MAC and IP address
• Anchor
• Foreign
![Page 19: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/19.jpg)
Guest Path Isolation – Anchor VLAN
• Configure Guest VLAN on the Anchor WLC:
![Page 20: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/20.jpg)
Tunnel the WLAN – Mobility Anchor on Anchor
• Configure the mobility anchor for the guest WLAN on Anchor WLCs:
Select local On Anchor WLC
![Page 21: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/21.jpg)
Tunnel the WLAN – Mobility Anchor on Foreign
• Configure the mobility anchor for the guest WLAN on Foreign WLCs:
Select Anchor IPOn Foreign WLC
![Page 22: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/22.jpg)
Guest Access High Availability
![Page 23: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/23.jpg)
Guest Anchor Redundancy
Pre AireOS 8.1
• Add a second Anchor Controller in any DMZ
• A Foreign controller load balances guest clients across the list of Anchor controllers configured on the WLAN
• Guest clients are load balanced in round robin fashion amongst anchor controllers
• If an anchor fails, guest clients will be load balanced amongst remaining anchor controllers
![Page 24: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/24.jpg)
Guest Anchor High Availability with SSO
• Add a second Anchor Controller in the same DMZ
• True Box to Box High Availability
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC
• Configuration on Active synched to Standby
• AP CAPWAP State (7.3+) and active Client State (7.5+) synchronised
• Full Stateful Switch Over (SSO) from Active to Standby
• A Foreign controller only sees a single Anchor controller
![Page 25: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/25.jpg)
Guest Anchor Redundancy with Priority
AireOS 8.1 onwards
• Add a second Anchor Controller in any DMZ
• A Foreign controller designates one anchor as Primary with one or more Secondary anchors
• Guest clients will be tunneled to anchor with highest priority
• If an anchor fails, guest clients will be sent to anchor with next highest priority
• Round robin if remaining anchors have same priority
• Multiple anchors not needed in each location for redundancy
![Page 26: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/26.jpg)
Mobility Anchor Priority on Foreign
• Edit the mobility anchor for the guest WLAN on Foreign WLCs:
Select Priority 1,2,3On Foreign WLC
![Page 27: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/27.jpg)
Sleeping ClientsThe Re-Authentication
Issue
![Page 28: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/28.jpg)
Sleeping Guest Clients
What's the Problem?
• Client devices connected to web-auth enabled WLANs have to enter login credentials every time the client goes to sleep and wakes up
• NOT just Guests
The Solution (7.5 and above)
• When user-idle timeout exceeded, client entry is moved to Sleeping Client DB
• Configurable per-WLAN, up to 30 days / 720 hours
• Client re-connecting within Sleeping Timer does not need to re-enter credentials
• Cached information is passed as client roams
• Even when waking up in another AP cell (same WLAN, same mobility group)
![Page 29: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/29.jpg)
Sleeping Client Configuration• Configured from the Layer 3 Security section of the WLAN:
![Page 30: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/30.jpg)
Sleeping Client Verification• Client information visible in GUI:
![Page 31: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/31.jpg)
Sleeping Clients with ISE
• Device/user logs in to hotspot or credentialed portal
• MAC automatically registered into GuestEndpoint group:
• AuthZ policy grants immediate access until device purged
![Page 32: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/32.jpg)
Guest Services PortalLocal Web Auth vs. External Web Auth
![Page 33: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/33.jpg)
Local Web Auth (LWA) or External Web Auth (EWA)
Mode Web Authentication Type Local or External
1 Internal (Default) Local Web Auth (LWA)
2 Customised (Customised Downloaded) Local Web Auth (LWA)
3 Internal (1) or Customised (2) using ISE for
RADIUS AuthenticationLocal Web Auth (LWA)
4 External (Re-directed to external server) External Web Auth (EWA)
• Wireless & Wired Guest Web Authentication Portal is available in 4 modes:
![Page 34: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/34.jpg)
LWA Internal Guest Services Portal
• Internal (Default) Web Portal
• URL re-direct after login
• or leave blank
• Customise options for:
• Page Headline
• Splash page message
• Show/hide Cisco Logo
![Page 35: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/35.jpg)
LWA Customised Guest Services Portal
• Create your own Guest Access Portal web pages
• Upload the customised web page to the WLC
• Configure the WLC to use “Customised (Downloaded) web portal”
• Customised WebAuth bundle up to 5 Mb in size can contain:
• 22 login pages • 16 WLANs
• 5 Wired LANs
• 1 Global
• 22 login failure pages
• 22 login successful pages
![Page 36: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/36.jpg)
EWA Guest Services Portal
• External (Redirect to external server)
• Pre-Authentication ACL
• Optional:
• Override WebAuth type at Guest WLAN level
![Page 37: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/37.jpg)
ISE Guest Portals(External Web Auth)
![Page 38: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/38.jpg)
ISE 2.0 Portal Creation for Guest and BYOD
• Set up a Guest or BYOD workflow in just a few clicks.
![Page 39: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/39.jpg)
ISE 2.0 Portal Customisation for Guest and BYOD
Portal Control Options
Access code, AUP, BYOD,
Self Registration, Device
Registration, Required
Fields and more
Workflow Visibility
ISE updates the portal
workflow in real-time with
each change.
![Page 40: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/40.jpg)
ISE 2.0 Guest Portal
![Page 41: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/41.jpg)
ISE 2.0 Guest Portal – Self Registration
![Page 42: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/42.jpg)
CMX Connect for Guest Access
![Page 43: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/43.jpg)
Cisco Connected Mobile Experiences (CMX)
Presence Location Social
• Presence and location detection
• Visibility (Wi-Fi, BLE)
DETECT
• Easy Wi-Fi login, custom or social
• Zone-based, custom splash
pages
CONNECT
ANALYTICS
• App-based mobile engagement
• Context-aware in-venue
experiences
ENGAGE
![Page 44: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/44.jpg)
Guest Access with CMX Connect
• Simplify Access with User Opt-In
• Offer Clear Terms and Conditions
• Multiple Access Methods
• Custom or Social Media
• Customised Access
• Proximity-Based Landing Pages and Promotion Alerts (Coupons)
• Understand Who Is in Your Location
• Enhanced Analytics
![Page 45: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/45.jpg)
Facebook Wi-Fi: Access Demographic DataData is aggregated for trend analysis. Marketing team with Facebook Ads Budget could use this for higher ROI advertising budget usage.
![Page 46: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/46.jpg)
Facebook Wi-Fi Configuration
• Import map from CPI
• Use MSE GUI to assign FB Page
• Configure WLAN to redirect to MSE
![Page 47: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/47.jpg)
Guest Services Provisioning
![Page 48: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/48.jpg)
Guest Provisioning Requirements
• Might be performed by non-IT user (Lobby Ambassador)
• Must deliver basic features, but might also require advanced features:
• Duration,
• Start/End Time,
• Bulk provisioning
• Reporting
• Provisioning Strategies :
• Lobby Ambassador
• Employees
![Page 49: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/49.jpg)
Guest Provisioning ChoicesCisco Guest Access Solution supports a range of provisioning tools
Prime
Infrastructure
Mobility Controller
Identity Services
Engine
Custom Server
Basic
Provisioning
Advanced
Provisioning
Dedicated
Provisioning
Customised
Provisioning
CMX Connect
Social Login
![Page 50: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/50.jpg)
Guest ProvisioningWireless LAN Controller
![Page 51: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/51.jpg)
Guest Provisioning – Local WLC
• Lobby Ambassador accounts can be created directly on Wireless LAN Controllers
• Lobby Ambassadors have limited guest features and must create the user directly on WLC:
• Create Guest User – up to 2048 entries
• Set time limitation – up to 35 weeks
• Set Guest SSID
• Set QoS Profile
• Cisco Wireless LAN Controller (AireOS)
![Page 52: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/52.jpg)
Guest Provisioning – Lobby Admin on WLC
• Lobby Administrator can be created in directly on Wireless LAN Controller (WLC)
![Page 53: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/53.jpg)
Guest Provisioning – Local WLC
![Page 54: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/54.jpg)
Guest ProvisioningPrime Infrastructure
![Page 55: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/55.jpg)
Guest Provisioning – Prime Infrastructure
• CPI offers specific Lobby Ambassador access for Guest management only
• Lobby Ambassador accounts can be created:
• Directly on CPI
• Defined on external RADIUS/TACACS+ servers
• Lobby Ambassadors on CPI are able to create guest accounts with advanced features like:
• Start/End time and date, duration
• Bulk provisioning
• Set QoS Profiles
• Set access based on WLC, Access Points or Location
![Page 56: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/56.jpg)
Guest Provisioning – Lobby Admin in Prime
• Create the Reception User ID and assign to "Lobby Ambassador" group
![Page 57: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/57.jpg)
Guest Provisioning – Lobby Admin in Prime
• Associate the lobby admin with Profile and Location specific information
• Customise text and logo details
![Page 58: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/58.jpg)
Guest Provisioning – Prime Infrastructure
![Page 59: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/59.jpg)
Guest Provisioning – Prime Infrastructure
![Page 60: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/60.jpg)
Bulk Guest Provisioning – Prime Infrastructure
![Page 61: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/61.jpg)
Guest Provisioning – Print/Email Guest Details
![Page 62: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/62.jpg)
Guest ProvisioningIdentity Services Engine
![Page 63: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/63.jpg)
ISE Sponsor Portal
• Customisable Web Portal for Sponsors as well
• Authenticate Sponsors with corporate credentials:
• Local Database
• Active Directory
• LDAP
• RADIUS
• Kerberos
![Page 64: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/64.jpg)
ISE 2.0 Sponsor Portal – Create Guest
![Page 65: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/65.jpg)
ISE 2.0 Sponsor Portal – Guest Notification
![Page 66: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/66.jpg)
ISE 2.0 Sponsor Portal – Manage Guests
![Page 67: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/67.jpg)
ISE 2.0 Sponsor Portal – Manage Guests (detail)
![Page 68: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/68.jpg)
Guest Monitoring & Reporting
![Page 69: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/69.jpg)
Guest Monitoring – Prime Infrastructure
• Monitor > Monitoring Tools > Clients and Users window will show all Authentications including Guests
![Page 70: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/70.jpg)
Guest Monitoring Detail – Prime Infrastructure
![Page 71: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/71.jpg)
Guest Activity Reporting – Prime Infrastructure
![Page 72: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/72.jpg)
Guest Monitoring - ISE
• Operations > RADIUS Live Log window will show all Authentications including Guests
• Identity and Authorisation can be found for Guests
![Page 73: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/73.jpg)
Guest Activity Reporting - ISE
![Page 74: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/74.jpg)
Summary
![Page 75: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/75.jpg)
Wireless Guest – Key Takeaways
• Web Authentication is a supplementary authentication method
• Guest traffic isolation is provided via tunnels between Anchor and Foreign
• High Availability is achieved via Anchor Priority, SSO or both
• Sleeping Clients are no problem!
• Guest Portals can be managed:
• Locally via WLC
• Externally via ISE or CMX
• Guest users can be provisioned via WLC, CPI or ISE
• Guest activity can be monitored and reported via CPI or ISE
![Page 76: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/76.jpg)
Q & A
![Page 77: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/77.jpg)
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected Friday 11 March
at Registration
![Page 78: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/78.jpg)
Thank you
![Page 79: Deploying Wireless - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKEWN-2014.pdf · Deploying Wireless Guest Access and BYOD Scott Lee-Guard, Systems Engineer,](https://reader030.vdocuments.site/reader030/viewer/2022040701/5d60337d88c993f3248b6737/html5/thumbnails/79.jpg)