Cisco NAC Guest Server
Guest Access - Simplified
Tim Wellborn
SE
Sangeeta Kodukula
SE
DFW Cisco Users Group, April 6, 2011
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Agenda
1 The “Business Case” For Secure Guest Access
2 Cisco NAC Guest Server Overview
3 Deployment Options
4 Summary & Additional Resources
5 Demo
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
The Enterprise Hotspot
Enterprises are the most important hotspot destination for
business partners in a connected world.
 Provide network access to visitors
 Presents a professional and secure
access to visitors
 Enable improved productivity from
vendors and contractors
 Strengthen collaboration between
employees and partners
Provide Guest Access in a seamless, secure manner
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Guest Access Considerations
Ease of use
Provisioning of user accounts
Receptionist, help desk, any user
Integration with
network infrastructure
Reduce infrastructure upgrades
Avoid parallel network infrastructure
Audit and
accountability
Know who is doing what
Know who created which account
Cost
Cost of implementation
Cost of ongoing management
Security
Meet security policy requirements
Provide secure guest access
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
ROI - Cisco Internal Real World Example
 400,000 Guests per year (and increasing)
 $X per call to setup a guest (cost avoided)
 Cost savings of $M/year by self provisioning
April 08
January 05
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
NAC Guest Server
Overview
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Four Key Components of Guest Access
SPONSOR
The internal user who wants to be able to provide
internet access to their guest
NAC GUEST SERVER
Enables sponsor to create guest account; audits;
provisions account on network enforcement device
NETWORK ENFORCEMENT DEVICE
Web re-direction, authentication and provides access.
Wireless LAN Controller or NAC Appliance
GUEST
The visitor who needs network access
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Managing the Guest User Lifecycle
NOTIFICATION
PROVISIONING
Create Guest Accounts
Create a single Guest Account
Print Account and Access Details
Create multiple Guest Accounts
by Importing a CSV file
Send Account Details via Email
Manage Guest Accounts
Send Account Details via SMS
Report on Guests
View, edit or suspend your
Guest Accounts
View audit reports on individual
Guest accounts
Manage batches of accounts
you have created
Display Management reports on
Guest Access
REPORTING
MANAGEMENT
NAC_BDM_May
Give Accounts to Guests
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Provisioning
 Who should create user accounts?
Receptionist/Lobby Ambassador
IT Security
Managers
Help Desk
Any Employee
 NAC Guest Server lets you choose
based upon your security policy
 Allowing any employee to create accounts provides
increased usage and will be just as secure
 Reduced Cost
 Full Audit Trail
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
 Speed of access
 Ease of use
Cisco Confidential
9
Sponsor Portal
 Customizable Web Portal
for internal sponsors
 Authenticate with corporate
credentials
Local Database
Active Directory
LDAP
RADIUS
Kerberos
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Sponsor Single Sign On
Log in to Windows
Automatic Authentication
to NAC Guest Server
 Integrates with Active Directory
 Supports all windows authentication mechanisms including:
 username/password
 Smart Card
NAC_BDM_May
 Biometrics etc.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Creating Guest Accounts
1. Enter user details
2. Specify start and
end times
3. Add user
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Username Policy
Email Address
First/Last Name
Random
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Guest Password Policy
Alphabetic
Numeric
Special
Choice of characters and length
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Flexible Time Policies
 Create accounts by:
- Start/End Time
- Usage from first login
- For example account valid for 1
hour from first login
- Usage within a certain period
- For example account valid for 2
hours within 24 hours from first login
 Account Restrictions
-Set times when guest cannot login,
such as outside office hours
Provides complete flexibility for when you want to allow guest access
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Notification: Guest User Account
Delivery
Send account
information via
print-out, email,
or SMS
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Audit and Reports
Visibility and Management of Guest Users
Sponsor
Information
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Guest
Information
Cisco Confidential
Account
Management
17
Guest Activity Reporting
Internet
Username: guestname
IP Address: 10.1.1.1
Login Time: 15:05
Logout Time: 14:30
15:07 10.1.1.1 accessed
http://www.cisco.com
15:08 10.1.1.1 used
the bittorrent protocol
15:09 10.1.1.1 connected to
vpn.mycompany.com
Consolidated Audit Report of Guest Activity
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Detailed guest audit information
 When they logged in
 Where they logged in
 The guests address
 What they did
 What was allowed
 What was disallowed
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
NAC Guest Server
Deployment Options
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Network Enforcement Devices
Network Enforcement Devices control the guest user
Deliver the automatic redirect to a captive portal
Authenticate the user against the Guest Server
Enforce the Users Access Privileges
Records Network Access Information
 Cisco NAC Appliance for Secure Guest Access
 Cisco Wireless LAN Controllers
 Cisco Catalyst Switch
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Customizable Portals
Login
Welcome to our
guest hotspot!
Credit Card
Guest Self Registration
Password Change
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Fully customize this page and add
the widgets you want!
22
NAC Guest Server Walkthrough
NAC Guest Server
1. Sponsor creates
account on the
NAC Guest Server
2. Sponsor gives the
credentials to the guest via
print-out, email or sms
RADIUS
Wireless LAN Controller
NAC Guest Server
3. Guest authenticates with the web portal from NGS which
authenticates the guest by RADIUS to the NGS
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
NAC Guest Server Walkthrough
Internet
Wireless LAN Controller
4. If auth is successful the guest is given Internet access
5. Wireless LAN Controller
and Firewalls provide audit
information to the
NAC Guest Server
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6. When the
account expires
the Wireless
LAN Controller
logs off the
guest
24
Wireless Only Deployment
Easiest to deploy; least design impact
Broad use-case
Active Directory
Sponsored
Guest
LAN\Wan
Optional
Cisco NGS
Guest Server
Wireless LAN
Controller
Internet
* Employee Wireless uses separate SSID providing higher security and full network access
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Add Secure Wired Access in Public Spaces
Enabling this feature may have impact to network design and configuration changes.
Employee wired access on these ports becomes limited to internet in this scenario
Employee
Active Directory
Sponsored
Guest
Conference Room
Ports
Parity for
Wired / WLAN
LAN\Wan
Optional
Cisco NGS
Guest Server
Wireless LAN
Controller
Internet
* Employee Wireless uses separate SSID providing higher security and full network access
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Complete Guest and Employee Secure
Network Access
Enabling this feature on switch ports leverages similar 802.1X PEAP solution typical of Enterprise
Wireless authentication.
Employee
SSC
802.1X/MAB
Compatibility
Active Directory
Employee
Sponsored
Guest
Parity for
Wired / WLAN
LAN\Wan
Switch
Cisco NGS
Guest Server
Wireless LAN
Controller
Internet
* Employee Wireless uses separate SSID providing higher security and full network access
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Application Programming Interface
 Open Web API for use by custom applications
 Example applications:
Visitor Management Systems (Automatically create guest accounts)
Hotel Property Management Systems (Provision at guest check-in)
Identity Management System (Single portal for all accounts)
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Costing Summary
Product
Hardware
Software
HW/SW
Maintenance
NAC3315-GUEST-K9
$24,995 (list)
Included
$3,989 (sntp)
•Above does not include Implementation planning and
deployment
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
MANY Variations
NAC Guest Server is the primary tool to meet
requirements of most guest access solutions
 Different Designs
 Different Network Enforcement Devices
 Different Authentication Methods
 Different Auditing/Tracking Requirements
NAC Guest Server with Wireless Guest Access
Provides easy yet secure solution
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
DEMO
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
NAC_BDM_May
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32