Be my guest! Design and Deploy Wireless Guest Access that ...

1 Be my Guest ! Design and Deploy Wireless Guest Access that WorksFederico Ziliotto, Consulting Systems EngineerCCIE 23280 ( Wireless , R&S)BRKEWN-2014 Wireless Guest Access We don t like to pay for it. We like easy Access (no barriers or narrow ramps). We would like to (re)use it as long as we want. We don t always mind if it is not surveilled. We can Access it from the street. 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicFederico Fede 10 years at Ciscoo4 years as a Customer Support Engineero3 years as a Specialized Systems Engineero3 years as a Consulting Systems Engineer Always focused on Wireless and NACA mateur photographer (gearhead)Very, very amateur catamaran sailorBRKEWN-20144 2017 Cisco and/or its affiliates.

2 All rights reserved. Cisco PublicWhat this session will web redirection techniques; WLC web authentication; Connected Mobile Experiences (CMX); Identity Services Engine (ISE); some use cases and caveats; CUWN and AireOS. configuration/customization details; version discrepancies; roadmap; service provider solutions; Enterprise Mobility Services Platform (EMSP)..except when it what it won t 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicFor your reference There are slides in your PDF that will not be presented, or quickly presented. They are valuable, but included only For your reference.

3 6 BRKEWN-2014 For your referenceFor your reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicSession Abstract Guest networks are everywhere nowadays and almost any Wireless deployment comes with the requirement for a Guest SSID. Through this session you will learn all about the different Cisco Guest solutions, which one to choose according to your needs, and how to successfully implement it. As a bonus, we will also try showing you potential caveats of Wireless Guest networks: this should assist you with proof-testing your own configuration to pro-actively anticipate potential your reference 2017 Cisco and/or its affiliates.

4 All rights reserved. Cisco PublicCisco Digital Network Architecture for mobilityAutomation Plug n Play EasyQOS ISE: .1x, BYOD and GuestOpen APIs: Modular Aps with Restful APIsCloud Service Management CMX with Context and GuestPlatforms & VirtualizationAssurance Restful APIs on WLC NetflowExport Apple Network Optimization & FastLanePrinciples Modular AP s with Restful API s DNA Optimized Controllers: 3504, 5520, 8540 Various VM Models: ESXi, KVM, HyperV, AWSI nsights and ExperiencesAutomation and AssuranceSecurity and ComplianceOutcomesBRKEWN-20148 For your reference 2017 Cisco and/or its affiliates.

5 All rights reserved. Cisco PublicEmbedded SecurityBuilt forToday s ThreatsSecurity Expertiseand InnovationEvidenceof TrustOrganizations can no longer rely on perimeter devices to protect the network from cyber There has never been a greater need to improve network infrastructure securityAlert TA16-251A, September 2016 Trustworthy SystemsProtect the DeviceLearn more: Visit See: BRKARC-1010 Protecting the Device: Cisco Trustworthy Systems & Embedded Security Meet the Engineer: Topic: Security and Trust Architecture BRKEWN-20149 For your reference 2017 Cisco and/or its affiliates.

6 All rights reserved. Cisco PublicAgenda Why Guest Access and what is it? Theory of operations The right solution for the right needs Tips, tricks and use cases 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicA few words of cautionBRKEWN-201411 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicA service for visitors Because we are used to Wi-Fi (at home, in the office, etc.). Cost savings for roaming users. Because we value it when we visit a company / event / location / (free) Wi-Fi?BRKEWN-201412 2017 Cisco and/or its affiliates. All rights reserved.

7 Cisco PublicA service for visitorsWhy web portals and/or other (security) measures?Even if they left it open,would we freely walk into our neighbor s housewithout invitation?Same thingfor open Wi-FiIn many Countries it is illegal to connect to an open Wi-Fi network without being granted formal 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicDid we already mention for visitors?BRKEWN-2005 But yes, without any better alternative, employees and/or contractors will try to use it anyway with their own yes, they will complain if it does not work : need to go through a web page login requested every day have to ask for a new account 2017 Cisco and/or its affiliates.

8 All rights reserved. Cisco PublicA service for the companyWhy (free) Wi-Fi?CustomersatisfactionAnalytics$$$$$ $BRKEWN-201415 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicA service for the company Depending on the Country, the Wi-Fi operator needs to comply with some rules. Disclaimershelp Wi-Fi operators (and end users too) to avoid liability. Without disclaimers, or according to other specific laws, the Wi-Fi operator might have to guarantee additional, adequate security measures (FW, IPS, etc.). Note:lawful intercept ( , logs collection) does not always require a user identity in the form of user name, given name, family name, the user identity can simply be translated to the MAC web portals and/or other (security) measures?

9 BRKEWN-201416 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicIn summary, why Guest Access ?2 main goals: Access / provide (free) Wi-Fi. Be legally to achieve them? Let them Access it for free, they will be thankful. They need to pay, pay, pay! Make extra money! Make it easy, an AUP (acceptable use policy)is all you need. They will sue you, ask for passports! Encourage them to return. Don t let them exploit you, block themafter the first visit! BRKEWN-201417 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicRequirements for secure Guest Access No Access until authorized Guest traffic should be segregated from the internal network Web-based authentication Bandwidth and QoS management Overlay onto existing enterprise network No device reconfiguration, no client software required Plug & Play Easy administration by non-IT staff Splash screens and web content can differ by location Guest network must be free or cost-effective and non-disruptive Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) Logging & Monitoring.

10 Auditing of location, MAC, IP address, usernameTechnicalUsabilityMonitoringBRKE WN-201418 For your referenceTheory of operations 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicWireless connection workflowEndpointCAPWAPA ccess Point(AP) Wireless LAN Controller(WLC) Request (not for , but in case of PSK)Authentication ResponseMAC Filtering and/or exchange (in case of PSK or )DHCP / DNSL ayer 2 AuthenticationLayer 3 AuthenticationWeb Captive PortalBRKEWN-201420 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecure or open SSID? Secure SSID Open SSID A secure SSID cannot fall back to open.