Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta Kodukula SE DFW Cisco Users Group, April 6, 2011 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Agenda 1 The “Business Case” For Secure Guest Access 2 Cisco NAC Guest Server Overview 3 Deployment Options 4 Summary & Additional Resources 5 Demo NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 The Enterprise Hotspot Enterprises are the most important hotspot destination for business partners in a connected world. Provide network access to visitors Presents a professional and secure access to visitors Enable improved productivity from vendors and contractors Strengthen collaboration between employees and partners Provide Guest Access in a seamless, secure manner NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Guest Access Considerations Ease of use Provisioning of user accounts Receptionist, help desk, any user Integration with network infrastructure Reduce infrastructure upgrades Avoid parallel network infrastructure Audit and accountability Know who is doing what Know who created which account Cost Cost of implementation Cost of ongoing management Security Meet security policy requirements Provide secure guest access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 ROI - Cisco Internal Real World Example 400,000 Guests per year (and increasing) $X per call to setup a guest (cost avoided) Cost savings of $M/year by self provisioning April 08 January 05 NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 NAC Guest Server Overview NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Four Key Components of Guest Access SPONSOR The internal user who wants to be able to provide internet access to their guest NAC GUEST SERVER Enables sponsor to create guest account; audits; provisions account on network enforcement device NETWORK ENFORCEMENT DEVICE Web re-direction, authentication and provides access. Wireless LAN Controller or NAC Appliance GUEST The visitor who needs network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 Managing the Guest User Lifecycle NOTIFICATION PROVISIONING Create Guest Accounts Create a single Guest Account Print Account and Access Details Create multiple Guest Accounts by Importing a CSV file Send Account Details via Email Manage Guest Accounts Send Account Details via SMS Report on Guests View, edit or suspend your Guest Accounts View audit reports on individual Guest accounts Manage batches of accounts you have created Display Management reports on Guest Access REPORTING MANAGEMENT NAC_BDM_May Give Accounts to Guests © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Provisioning Who should create user accounts? Receptionist/Lobby Ambassador IT Security Managers Help Desk Any Employee NAC Guest Server lets you choose based upon your security policy Allowing any employee to create accounts provides increased usage and will be just as secure Reduced Cost Full Audit Trail NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Speed of access Ease of use Cisco Confidential 9 Sponsor Portal Customizable Web Portal for internal sponsors Authenticate with corporate credentials Local Database Active Directory LDAP RADIUS Kerberos NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 Sponsor Single Sign On Log in to Windows Automatic Authentication to NAC Guest Server Integrates with Active Directory Supports all windows authentication mechanisms including: username/password Smart Card NAC_BDM_May Biometrics etc. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Creating Guest Accounts 1. Enter user details 2. Specify start and end times 3. Add user NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 Username Policy Email Address First/Last Name Random NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 Guest Password Policy Alphabetic Numeric Special Choice of characters and length NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Flexible Time Policies Create accounts by: - Start/End Time - Usage from first login - For example account valid for 1 hour from first login - Usage within a certain period - For example account valid for 2 hours within 24 hours from first login Account Restrictions -Set times when guest cannot login, such as outside office hours Provides complete flexibility for when you want to allow guest access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Notification: Guest User Account Delivery Send account information via print-out, email, or SMS NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Audit and Reports Visibility and Management of Guest Users Sponsor Information NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Guest Information Cisco Confidential Account Management 17 Guest Activity Reporting Internet Username: guestname IP Address: 10.1.1.1 Login Time: 15:05 Logout Time: 14:30 15:07 10.1.1.1 accessed http://www.cisco.com 15:08 10.1.1.1 used the bittorrent protocol 15:09 10.1.1.1 connected to vpn.mycompany.com Consolidated Audit Report of Guest Activity NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 Detailed guest audit information When they logged in Where they logged in The guests address What they did What was allowed What was disallowed NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 NAC Guest Server Deployment Options NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 Network Enforcement Devices Network Enforcement Devices control the guest user Deliver the automatic redirect to a captive portal Authenticate the user against the Guest Server Enforce the Users Access Privileges Records Network Access Information Cisco NAC Appliance for Secure Guest Access Cisco Wireless LAN Controllers Cisco Catalyst Switch NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 Customizable Portals Login Welcome to our guest hotspot! Credit Card Guest Self Registration Password Change NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Fully customize this page and add the widgets you want! 22 NAC Guest Server Walkthrough NAC Guest Server 1. Sponsor creates account on the NAC Guest Server 2. Sponsor gives the credentials to the guest via print-out, email or sms RADIUS Wireless LAN Controller NAC Guest Server 3. Guest authenticates with the web portal from NGS which authenticates the guest by RADIUS to the NGS NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 NAC Guest Server Walkthrough Internet Wireless LAN Controller 4. If auth is successful the guest is given Internet access 5. Wireless LAN Controller and Firewalls provide audit information to the NAC Guest Server NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6. When the account expires the Wireless LAN Controller logs off the guest 24 Wireless Only Deployment Easiest to deploy; least design impact Broad use-case Active Directory Sponsored Guest LAN\Wan Optional Cisco NGS Guest Server Wireless LAN Controller Internet * Employee Wireless uses separate SSID providing higher security and full network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25 Add Secure Wired Access in Public Spaces Enabling this feature may have impact to network design and configuration changes. Employee wired access on these ports becomes limited to internet in this scenario Employee Active Directory Sponsored Guest Conference Room Ports Parity for Wired / WLAN LAN\Wan Optional Cisco NGS Guest Server Wireless LAN Controller Internet * Employee Wireless uses separate SSID providing higher security and full network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26 Complete Guest and Employee Secure Network Access Enabling this feature on switch ports leverages similar 802.1X PEAP solution typical of Enterprise Wireless authentication. Employee SSC 802.1X/MAB Compatibility Active Directory Employee Sponsored Guest Parity for Wired / WLAN LAN\Wan Switch Cisco NGS Guest Server Wireless LAN Controller Internet * Employee Wireless uses separate SSID providing higher security and full network access NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 Application Programming Interface Open Web API for use by custom applications Example applications: Visitor Management Systems (Automatically create guest accounts) Hotel Property Management Systems (Provision at guest check-in) Identity Management System (Single portal for all accounts) NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28 Costing Summary Product Hardware Software HW/SW Maintenance NAC3315-GUEST-K9 $24,995 (list) Included $3,989 (sntp) •Above does not include Implementation planning and deployment NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 MANY Variations NAC Guest Server is the primary tool to meet requirements of most guest access solutions Different Designs Different Network Enforcement Devices Different Authentication Methods Different Auditing/Tracking Requirements NAC Guest Server with Wireless Guest Access Provides easy yet secure solution NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30 DEMO NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31 NAC_BDM_May © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32