Cisco NAC Guest Server

clearsleepingbagSecurity

Nov 30, 2013 (3 years and 6 months ago)

92 views

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Presentation_ID

1

Cisco
NAC

Guest Server


Guest Access
-

Simplified

Tim Wellborn

SE

Sangeeta Kodukula

SE


DFW

Cisco Users Group, April 6, 2011

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

2

1 The “Business Case” For Secure Guest Access

2 Cisco
NAC

Guest Server Overview

3 Deployment Options

4 Summary & Additional Resources

5 Demo

Agenda

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

3

The Enterprise Hotspot


Provide network access to visitors


Presents a professional and secure
access to visitors


Enable improved productivity from
vendors and contractors


Strengthen collaboration between
employees and partners

Enterprises are the most important hotspot destination for
business partners in a connected world.

Provide Guest Access in a seamless, secure manner

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

4

Guest Access Considerations

Ease of use

Integration with

network infrastructure

Audit and

accountability

Cost

Provisioning of user accounts

Receptionist, help desk, any user

Reduce infrastructure upgrades

Avoid parallel network infrastructure

Know who is doing what

Know who created which account

Cost of implementation

Cost of ongoing management

Security

Meet security policy requirements

Provide secure guest access

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

5

ROI
-

Cisco Internal Real World Example


400,000 Guests per year (and increasing)


$X per call to setup a guest (cost avoided)


Cost savings of $M/year by self provisioning


January 05

April 08

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

6

NAC Guest Server

Overview

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

7

Four Key Components of Guest Access

GUEST

The visitor who needs network access


SPONSOR

The internal user who wants to be able to provide
internet access to their guest

NETWORK ENFORCEMENT DEVICE

Web re
-
direction, authentication and provides access.

Wireless LAN Controller or
NAC

Appliance

NAC GUEST SERVER

Enables sponsor to create guest account; audits;
provisions account on network enforcement device

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

8

Managing the Guest User Lifecycle

PROVISIONING

MANAGEMENT

NOTIFICATION

REPORTING

Create Guest Accounts

Manage Guest Accounts

Give Accounts to Guests

Report on Guests

Create a single Guest Account

Create multiple Guest Accounts

by Importing a CSV file

Print Account and Access Details

Send Account Details via Email

Send Account Details via SMS

View, edit or suspend your

Guest Accounts

Manage batches of accounts

you have created

View audit reports on individual

Guest accounts

Display Management reports on

Guest Access

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

9

Provisioning


Who should create user accounts?

Receptionist/Lobby Ambassador

IT Security

Managers

Help Desk

Any Employee


NAC

Guest Server lets you
choose

based upon your security policy


Allowing
any employee

to create accounts provides
increased usage and will be just as secure


Reduced Cost


Full Audit Trail



Speed of access


Ease of use

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

10

Sponsor Portal


Customizable Web Portal
for internal sponsors


Authenticate with corporate
credentials

Local Database

Active Directory

LDAP

RADIUS

Kerberos

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

11

Sponsor Single Sign On


Integrates with Active Directory


Supports all windows authentication mechanisms including:


username/password


Smart Card


Biometrics etc.

Log in to Windows

Automatic Authentication

to NAC Guest Server

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

12

Creating Guest Accounts

3.

Add user

2.

Specify start and


end times

1.

Enter user details

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

13

Username Policy

Email Address

First/Last Name

Random

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

14

Guest Password Policy

Alphabetic

Numeric

Special

Choice of characters and length

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

15

Flexible Time Policies


Create accounts by:

-

Start/End Time

-

Usage from first login

-

For example account valid for 1
hour from first login

-

Usage within a certain period

-

For example account valid for 2
hours within 24 hours from first login


Account Restrictions

-
Set
times when guest cannot login,
such as outside office
hours

Provides complete flexibility for when you want to allow guest access

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

16

Notification: Guest User Account
Delivery

Send account
information via

print
-
out, email,
or SMS

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

17

Audit and Reports

Sponsor

Information

Account

Management

Guest

Information

Visibility and Management of Guest Users

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

18

Guest Activity Reporting

Internet

Username:
guestname

IP Address:
10.1.1.1

Login Time:
15:05

Logout Time:
14:30

15:07
10.1.1.1
accessed
http://www.cisco.com

15:08
10.1.1.1
used

the bittorrent protocol

15:09
10.1.1.1
connected to
vpn.mycompany.com

Consolidated Audit Report of Guest Activity

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

19

Detailed guest audit information


When
they logged in


Where
they logged in


The guests
address


What
they did


What was
allowed


What was
disallowed

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

20

NAC Guest Server

Deployment Options

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

21

Network Enforcement Devices

Network Enforcement Devices control the guest user

Deliver the automatic redirect to a captive portal

Authenticate the user against the Guest Server

Enforce the Users Access Privileges

Records Network Access Information



Cisco
NAC

Appliance for Secure Guest Access



Cisco Wireless LAN Controllers



Cisco Catalyst Switch

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

22

Customizable Portals

Welcome to our

guest hotspot!

Fully customize this page and add
the widgets you want!

Login

Credit Card

Guest Self Registration

Password Change

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

23

1. Sponsor creates
account on the
NAC Guest Server

NAC Guest Server

2. Sponsor gives the
credentials to the guest via
print
-
out, email or sms

NAC Guest Server Walkthrough

3. Guest authenticates with the web portal
from
NGS

which
authenticates the guest by RADIUS to the
NGS

Wireless LAN Controller

RADIUS

NAC Guest Server

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

24

4. If auth is successful the guest is given Internet access

Wireless LAN Controller

5. Wireless LAN Controller
and Firewalls provide audit
information to the

NAC Guest Server

6. When the
account expires
the Wireless
LAN Controller
logs off the
guest

NAC

Guest Server Walkthrough

Internet

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

25

Wireless Only Deployment

Sponsored

Guest

Cisco
NGS

Guest Server

Wireless LAN

Controller

Internet

LAN
\
Wan

Active Directory

* Employee Wireless uses separate
SSID

providing higher security and full network access

Optional

Easiest to deploy; least design impact

Broad use
-
case

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

26

Add Secure Wired Access in Public Spaces

Sponsored

Guest

Cisco
NGS

Guest Server

Wireless LAN

Controller

Employee

Internet

Parity for

Wired / WLAN

Conference Room

Ports

LAN
\
Wan

Enabling this feature may have impact to network design and configuration changes.

Employee wired access on these ports becomes limited to internet in this scenario

Active Directory

* Employee Wireless uses separate
SSID

providing higher security and full network access

Optional

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

27

Complete Guest and Employee Secure
Network Access

Sponsored

Guest

Wireless LAN

Controller

Internet

Parity for

Wired / WLAN

Switch

Enabling this feature on switch ports leverages similar
802.1X

PEAP

solution typical of Enterprise
Wireless authentication.

Active Directory

Employee

802.1X
/
MAB


Compatibility

* Employee Wireless uses separate
SSID

providing higher security and full network access

LAN
\
Wan

SSC

Employee

Cisco
NGS

Guest Server

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

28

Application Programming Interface


Open Web API for use by custom applications


Example applications:

Visitor Management Systems (Automatically create guest accounts)

Hotel Property Management Systems (Provision at guest check
-
in)

Identity Management System (Single portal for all accounts)


© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

29

2
9

Costing Summary

Product

Hardware

Software

HW/SW
Maintenance

NAC3315
-
GUEST
-
K9

$24,995 (list)

Included

$3,989 (
sntp
)


Above does not include Implementation planning and
deployment


© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

30

MANY Variations


Different Designs


Different Network Enforcement Devices


Different Authentication Methods


Different Auditing/Tracking Requirements


NAC

Guest Server with Wireless Guest Access

Provides easy yet secure solution

NAC

Guest Server is

the primary tool to meet
requirements of most guest access solutions

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

31


DEMO

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

NAC_BDM_May

32