Cisco NAC Guest Server Guest Access Simplified Tim

  • Slides: 32
Download presentation
Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta Kodukula SE

Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta Kodukula SE DFW Cisco Users Group, April 6, 2011 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Agenda 1 The “Business Case” For Secure Guest Access 2 Cisco NAC Guest Server

Agenda 1 The “Business Case” For Secure Guest Access 2 Cisco NAC Guest Server Overview 3 Deployment Options 4 Summary & Additional Resources 5 Demo NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

The Enterprise Hotspot Enterprises are the most important hotspot destination for business partners in

The Enterprise Hotspot Enterprises are the most important hotspot destination for business partners in a connected world. § Provide network access to visitors § Presents a professional and secure access to visitors § Enable improved productivity from vendors and contractors § Strengthen collaboration between employees and partners Provide Guest Access in a seamless, secure manner NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

Guest Access Considerations Ease of use Provisioning of user accounts Receptionist, help desk, any

Guest Access Considerations Ease of use Provisioning of user accounts Receptionist, help desk, any user Integration with network infrastructure Reduce infrastructure upgrades Avoid parallel network infrastructure Audit and accountability Know who is doing what Know who created which account Cost of implementation Cost of ongoing management Security Meet security policy requirements Provide secure guest access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

ROI - Cisco Internal Real World Example § 400, 000 Guests per year (and

ROI - Cisco Internal Real World Example § 400, 000 Guests per year (and increasing) § $X per call to setup a guest (cost avoided) § Cost savings of $M/year by self provisioning April 08 January 05 NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5

NAC Guest Server Overview NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco

NAC Guest Server Overview NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

Four Key Components of Guest Access SPONSOR The internal user who wants to be

Four Key Components of Guest Access SPONSOR The internal user who wants to be able to provide internet access to their guest NAC GUEST SERVER Enables sponsor to create guest account; audits; provisions account on network enforcement device NETWORK ENFORCEMENT DEVICE Web re-direction, authentication and provides access. Wireless LAN Controller or NAC Appliance GUEST The visitor who needs network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7

Managing the Guest User Lifecycle NOTIFICATION PROVISIONING Create Guest Accounts Create a single Guest

Managing the Guest User Lifecycle NOTIFICATION PROVISIONING Create Guest Accounts Create a single Guest Account Print Account and Access Details Create multiple Guest Accounts by Importing a CSV file Send Account Details via Email Manage Guest Accounts Send Account Details via SMS Report on Guests View, edit or suspend your Guest Accounts View audit reports on individual Guest accounts Manage batches of accounts you have created Display Management reports on Guest Access REPORTING MANAGEMENT NAC_BDM_May Give Accounts to Guests © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8

Provisioning § Who should create user accounts? Receptionist/Lobby Ambassador IT Security Managers Help Desk

Provisioning § Who should create user accounts? Receptionist/Lobby Ambassador IT Security Managers Help Desk Any Employee § NAC Guest Server lets you choose based upon your security policy § Allowing any employee to create accounts provides increased usage and will be just as secure § Reduced Cost § Full Audit Trail NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. § Speed of access § Ease of use Cisco Confidential 9

Sponsor Portal § Customizable Web Portal for internal sponsors § Authenticate with corporate credentials

Sponsor Portal § Customizable Web Portal for internal sponsors § Authenticate with corporate credentials Local Database Active Directory LDAP RADIUS Kerberos NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

Sponsor Single Sign On Log in to Windows Automatic Authentication to NAC Guest Server

Sponsor Single Sign On Log in to Windows Automatic Authentication to NAC Guest Server § Integrates with Active Directory § Supports all windows authentication mechanisms including: § username/password § Smart Card NAC_BDM_May § Biometrics etc. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11

Creating Guest Accounts 1. Enter user details 2. Specify start and end times 3.

Creating Guest Accounts 1. Enter user details 2. Specify start and end times 3. Add user NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

Username Policy Email Address First/Last Name Random NAC_BDM_May © 2006 Cisco Systems, Inc. All

Username Policy Email Address First/Last Name Random NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13

Guest Password Policy Alphabetic Numeric Special Choice of characters and length NAC_BDM_May © 2006

Guest Password Policy Alphabetic Numeric Special Choice of characters and length NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

Flexible Time Policies § Create accounts by: - Start/End Time - Usage from first

Flexible Time Policies § Create accounts by: - Start/End Time - Usage from first login - For example account valid for 1 hour from first login - Usage within a certain period - For example account valid for 2 hours within 24 hours from first login § Account Restrictions -Set times when guest cannot login, such as outside office hours Provides complete flexibility for when you want to allow guest access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15

Notification: Guest User Account Delivery Send account information via print-out, email, or SMS NAC_BDM_May

Notification: Guest User Account Delivery Send account information via print-out, email, or SMS NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16

Audit and Reports Visibility and Management of Guest Users Sponsor Information NAC_BDM_May © 2006

Audit and Reports Visibility and Management of Guest Users Sponsor Information NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Guest Information Cisco Confidential Account Management 17

Guest Activity Reporting Internet Username: guestname IP Address: 10. 1. 1. 1 Login Time:

Guest Activity Reporting Internet Username: guestname IP Address: 10. 1. 1. 1 Login Time: 15: 05 Logout Time: 14: 30 15: 07 10. 1. 1. 1 accessed http: //www. cisco. com 15: 08 10. 1. 1. 1 used the bittorrent protocol 15: 09 10. 1. 1. 1 connected to vpn. mycompany. com Consolidated Audit Report of Guest Activity NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18

Detailed guest audit information § When they logged in § Where they logged in

Detailed guest audit information § When they logged in § Where they logged in § The guests address § What they did § What was allowed § What was disallowed NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19

NAC Guest Server Deployment Options NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved.

NAC Guest Server Deployment Options NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20

Network Enforcement Devices control the guest user Deliver the automatic redirect to a captive

Network Enforcement Devices control the guest user Deliver the automatic redirect to a captive portal Authenticate the user against the Guest Server Enforce the Users Access Privileges Records Network Access Information § Cisco NAC Appliance for Secure Guest Access § Cisco Wireless LAN Controllers § Cisco Catalyst Switch NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21

Customizable Portals Login Welcome to our guest hotspot! Credit Card Guest Self Registration Password

Customizable Portals Login Welcome to our guest hotspot! Credit Card Guest Self Registration Password Change NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Fully customize this page and add the widgets you want! 22

NAC Guest Server Walkthrough NAC Guest Server 1. Sponsor creates account on the NAC

NAC Guest Server Walkthrough NAC Guest Server 1. Sponsor creates account on the NAC Guest Server 2. Sponsor gives the credentials to the guest via print-out, email or sms RADIUS Wireless LAN Controller NAC Guest Server 3. Guest authenticates with the web portal from NGS which authenticates the guest by RADIUS to the NGS NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23

NAC Guest Server Walkthrough Internet Wireless LAN Controller 4. If auth is successful the

NAC Guest Server Walkthrough Internet Wireless LAN Controller 4. If auth is successful the guest is given Internet access 5. Wireless LAN Controller and Firewalls provide audit information to the NAC Guest Server NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6. When the account expires the Wireless LAN Controller logs off the guest 24

Wireless Only Deployment Easiest to deploy; least design impact Broad use-case Active Directory Sponsored

Wireless Only Deployment Easiest to deploy; least design impact Broad use-case Active Directory Sponsored Guest LANWan Optional Cisco NGS Guest Server Wireless LAN Controller Internet * Employee Wireless uses separate SSID providing higher security and full network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25

Add Secure Wired Access in Public Spaces Enabling this feature may have impact to

Add Secure Wired Access in Public Spaces Enabling this feature may have impact to network design and configuration changes. Employee wired access on these ports becomes limited to internet in this scenario Employee Active Directory Sponsored Guest Conference Room Ports LANWan Parity for Wired / WLAN Optional Cisco NGS Guest Server Wireless LAN Controller Internet * Employee Wireless uses separate SSID providing higher security and full network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26

Complete Guest and Employee Secure Network Access Enabling this feature on switch ports leverages

Complete Guest and Employee Secure Network Access Enabling this feature on switch ports leverages similar 802. 1 X PEAP solution typical of Enterprise Wireless authentication. AB M Employee X. 1 2 80 SSC 802. 1 X/MAB Compatibility Active Directory Employee Sponsored Guest Parity for Wired / WLAN LANWan Switch Cisco NGS Guest Server Wireless LAN Controller Internet * Employee Wireless uses separate SSID providing higher security and full network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27

Application Programming Interface § Open Web API for use by custom applications § Example

Application Programming Interface § Open Web API for use by custom applications § Example applications: Visitor Management Systems (Automatically create guest accounts) Hotel Property Management Systems (Provision at guest check-in) Identity Management System (Single portal for all accounts) NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28

Costing Summary Product Hardware Software HW/SW Maintenance NAC 3315 -GUEST-K 9 $24, 995 (list)

Costing Summary Product Hardware Software HW/SW Maintenance NAC 3315 -GUEST-K 9 $24, 995 (list) Included $3, 989 (sntp) • Above does not include Implementation planning and deployment NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29

MANY Variations NAC Guest Server is the primary tool to meet requirements of most

MANY Variations NAC Guest Server is the primary tool to meet requirements of most guest access solutions § Different Designs § Different Network Enforcement Devices § Different Authentication Methods § Different Auditing/Tracking Requirements NAC Guest Server with Wireless Guest Access Provides easy yet secure solution NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30

DEMO NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31

DEMO NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31

NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32

NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32