Today's enterprise network environments encompass an increasingly mobile workforce that requires comprehensive network connectivity and access to critical business applications. As the mobile edge expands, organizations must provide universal network access to a wide population of mobile users, which includes both traditional users as well as mobile visitors. Network managers are challenged with providing a secure network access solution that gives both employees and authorized guests the ability to gain access to corporate network resources. The Guest Access solution on the Cisco® Unified Wireless Network is a secure, cost-effective, and easy-to-integrate mobility solution that allows only employees and mobile visitors the ability to connect to the network.
Challenge
Enterprise network deployments must facilitate network connectivity for a wide-ranging population, including employees, business partners, vendors, and guests. In many cases, these partners and vendors perform critical tasks for the organization and require both general network connectivity, and limited access to specific network resources. To help ensure the security of the organization's data and protect corporate network resources, mobile visitors and their network traffic needs to be logically separated from employee-traffic and the internal network. Further complicating the situation is the fact that network access durations, user requirements, and network policies can vary widely for different sets of visitors. Likewise, since guests are third-party network users, organizations have little control over these visitors' endpoints and desktop software configurations.
To enhance productivity, companies need a secure, scalable, manageable solution that provides network access for mobile visitors at designatied portions of the network (locked-down), without requiring parallel network infrastructures, deployment of additional disruptive solutions, or desktop software on the guest's endpoint.
Solution
Supporting both wired and wireless guest access, the Cisco Unified Wireless Network Guest Access solution gives visitors the ability to access the internet through a secure, scalable, and cost-effective solution. Balancing the needs of visitors and IT administrators, the Cisco Guest Access solution provides an easy-to-use solution for visitors, while at the same time offering streamlined management and control of guest user policies. Seamless guest access is provided through efficient guest user provisioning systems and Web authentication mechanisms, enabling non technical personnel to provision guest access and eliminating any configuration of the guest user's endpoint. Guest traffic can also be locked-down and segmented from standard network traffic, allowing for increased customizability and network security. Using the Cisco Unified Wireless Network, organizations can easily integrate a comprehensive, secure guest access solution without disrupting existing processes or deploying costly parallel infrastructures.
Guest Access on the Cisco Unified Wireless Network
The Cisco Guest Access solution, as part of the Cisco Unified Wireless Network, helps mitigate network security risks, while extending the appropriate level of network access to visitors. Most organizations today have an ecosystem of partners, vendors, and contractors in their day-to-day business processes. Guest users can be classified as any nonemployee or otherwise unauthorized internal network user requiring network connectivity. Most commonly, these users require only the ability to access the public internet and/or VPN connectivity. In certain instances, however, mobile visitors perform critical business functions and require precise, locked-down access to internal network resources. With Cisco Guest Access, network privileges are customizable for any guest user access requirement.
Features and Benefits
The Cisco Guest Access solution is incorporated into the base functionality of Cisco Wireless LAN Controllers (WLC), with enhanced capabilities available via Cisco Wireless Control System (WCS) network management. This allows customers the ability to extend wireless and wired network access to guests using their existing wireless network infrastructure as the guest access control point, thus easing deployment considerations and delivering lower total cost of ownership.
Components of Cisco Unified Wireless Network Guest Access
Supporting real-time, business-critical applications with a comprehensive mobile-guest solution, the Cisco Guest Access solution on the Cisco Unified Wireless Network helps to ensure solid investment protection through a robust product portfolio, unified next-generation architecture, a smooth migration path to future enhancements, and extensive technology migration programs.
The Cisco Guest Access solution helps organizations manage their entire network deployment (both employee and guest WLANs) with active network segmentation, flexible guest policy management, and efficient guest provisioning mechanisms. Network segmentation features allow for employee and guest network traffic to be segregated onto separate tunnels and/or VLANs, ensuring both corporate network security and flexibility when deploying mobile guest services.
Dynamic user policy management features provide the ability to establish classes of guest users and assign specific network privileges and policies based on those assignments. Configurable templates and auto-provisioning capabilities allow for easy and efficient scheduling and provisioning of guests. Advanced guest user provisioning features-including the ability to automatically provision guests for certain periods of time (for example, Monday through Friday from 9 a.m. to 5 p.m.) and single-click provisioning-streamline the provisioning process and reduce provisioning errors.
The Cisco Unified Wireless Network provides integrated guest user login portals that can be served directly from the WLC or from an external server. Customizable login portals based on service set identifiers (SSIDs) provide a standardized Web portal authentication mechanism when guests first connect to the network. The ability to track guest provisioning and guest network use statistics, including login and logout times, is accomplished with the built-in reporting and audit trail features in the WCS. Table 1 summarizes the features and benefits of the Cisco Guest Access solution.
Table 1. Features and Benefits of Cisco Guest Access
Deploying Guest Access
The Guest Access solution on the Cisco Unified Wireless Network allows organizations to take full advantage of the Cisco WLAN network for both internal network access and guest access, thereby simplifying deployment considerations and reducing both deployment and operational costs.
Figure 1 illustrates a typical guest access deployment. In a typical deployment scenario, the guest user is provisioned on the network and assigned network credentials. Once the mobile visitor has a username and password, they open a browser and are authenticated using the guest SSID. The wireless LAN controller recognizes this user as a guest user and segments the traffic onto the guest VLAN. Once the guest user's credentials expire, access to network resources is terminated.
Figure 1. Cisco Guest Access: A Typical Deployment
Note: DMZ refers to the unsecured network area
Unified Wired and Wireless Guest Access
Reducing both complexity and cost, universal wired and wireless guest access gives organizations the ability to provide wired guest access using their existing wireless infrastructure. Table 2 summarizes the business benefits of universal wired and wireless guest access. Figure 2 illustrates how wired and wireless guest access works.
Table 2. Business Benefits of Universal Wired and Wireless Guest Access
Figure 2. Wired and Wireless Guest Access: How it Works
Per-User Guest Access Policies
Detailed policy management and implementation features within the Cisco Guest Access solution provide organizations with complete network security and increased network performance. Table 3 summarizes the business benefits of per-user guest access policies.
Table 3. Business Benefits of Per-User Guest Access Policies
Flexible, Streamlined Guest Provisioning
Provisioning guest access for mobile visitors should be simple and expedient. The Cisco Guest Access solution contains many features allowing for quick and easy provisioning of guest users, as listed in Table 4.
Table 4. Business Benefits of Streamlined Guess Provisioning
Advanced Network Security
An important aspect of a complete guest access solution is ensuring that provisioning personnel are creating the correct profiles for guests coming onto the network and that guest user activity on the network is controlled. The Cisco Guest Access solution contains features that provide enhanced network security and reporting on both guest users and sponsor or provisioning personnel. Table 5 summarizes the benefits of this set of features.
Table 5. Business Benefits of Advanced Network Security
Flexible Architecture and Management
Offered as a component solution on the Cisco Unified Wireless network, the Guest Access solution can be seamlessly deployed by using either the onboard Web device manager on the Cisco Wireless LAN Controller, or the more robust Lobby Ambassador functionality inherent in the Cisco Wireless Control System.
The integrated management on the WLC provides a basic guest user provisioning portal with the ability to implement network configurations and provisioning policies on a single controller. This makes the WLC an ideal solution for small guest access deployments. The WLC also supports a wide range of authentication protocols (Radius, TACACS+, and Lightweight Directory Access Protocol [LDAP]) allowing for easy integration with existing authentication infrastructures. The WLC also contains an internal authentication database, offering a complete, standalone authentication solution.
Enhanced guest user provisioning and management features for multi device deployments are available with the Cisco Wireless Control System (WCS). The WCS Lobby Ambassador feature provides an easy and efficient provisioning template and granular guest policy controls. Advanced features include the ability to auto-generate and deliver (via e-mail or printing) user credentials, automated scheduling for specific time periods (by time of day or calendar), and map-based integration for restricting guest user access to a specific location.
The user login portal, served from either the WLC or a separate server, is automatically launched when a mobile visitor attempts to access the Web. This simple and customizable portal provides a SSID-specific login page for guests authenticating to the guest network. The HTML-based portal can be customized to match an organization's look-and-feel and can include customized user agreements for guests to accept prior to being granted network access. Figure 3 compares the integrated guest access solution on the WLC with the guest provisioning functionality in WCS.
Figure 3. Guest Provisioning and Policy Management with WLC and WCS
Supported Platforms
Cisco Wireless LAN Controllers are the heart of the Cisco Unified Wireless Network Guest Access solution. Guest policy enforcement and tunneling occurs on these devices. The number of tunnels indicates the number of WLCs residing on the network interior or at remote sites that can connect to the WLC in the unsecured network area (DMZ). Figure 4 details the scalability for the Cisco Wireless LAN Controller family of products.
Figure 4. Cisco Wireless Controller Product Family
Note: The Cisco 2106, as a remote site device, can only initiate Ethernet over IP tunnels. It cannot reside in the unsecured network area (DMZ) as a guest controller terminating Ethernet over IP tunnels.
Cisco Guest Access Provisioning Solutions
In certain deployment scenarios, an organization might require a separate guest provisioning appliance to facilitate the creation of guest accounts, management of guest access policies, and reporting for guest network use. It is often necessary to shift from a centralized WCS-enabled guest provisioning deployment architecture to a provisioning appliance architecture when organizations grant widespread provisioning authority-for example, when they allow all employees the ability to provision guest users. Cisco offers two guest access provisioning solutions: the Cisco NAC Guest Server and Cisco GuestNet Manager. Both provide advanced guest access creation, management, and reporting functionality.
The Cisco NAC Guest Server (NGS) is a purpose-built guest access provisioning and accounting appliance, providing an out-of-box, easy to configure guest access solution with a centralized interface for all guest account creation and guest policy management. NGS provides a centralized reporting interface to track statistics on both guest access account creation and guest network use. Cisco NGS allows for easy and secure creation of guest network access accounts and is ideal for organizations that have a wide array for corporate sponsors creating accounts for guest users. The Cisco NAC Guest Server simplifies the process of offering widespread guest access provisioning in a simple, secure, and flexible way. For more information on the Cisco NAC guest server, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html
Cisco GuestNet Manager (GNM) is a guest provisioning solution offered by Cisco Advanced Services, which can be customized to deployment-specific standards. Cisco GNM provides tight integration with other Cisco Guest Access solution platforms, including the Cisco NAC Appliance and Cisco Wireless LAN Controllers. GNM also provides integration with Cisco WCS, via an API that enables centralized wireless/guest configuration policy and reporting. Cisco GuestNet Manager is available as custom software and is only sold via a Statement of Work or comparable services contract. Contact guestnetmanager@cisco.com or your local services account manager for more information.
Secure Guest Access Services with the Cisco NAC Appliance
With Cisco's Network Admission Control solution, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. By combining the Cisco Unified Wireless Network Guest Access solution with Cisco NAC, customers are able to take advantage of synergies between the rich guest access features inherent to the Cisco Unified Wireless Network and the enhanced, industry-leading posture assessment and remediation capabilities of Cisco NAC. Cisco NAC complements new or existing Cisco Unified Wireless Network guest access deployments by providing greater user policy control and enhanced wired guest access support.
Summary
The Cisco Unified Wireless Network makes guest access deployment and operation easy and cost-effective. With a unified deployment architecture, customizable provisioning, and granular guest policy implementation and management, the Cisco Guest Access solution provides persistent network access to authorized employees and guests, while providing the highest levels of network security.
For more information, please visit the following links:
• For more information about Cisco Unified Wireless Network, visit: http://www.cisco.com/go/unifiedwireless
• For more information about Cisco Network Admission Control (NAC), visit: http://www.cisco.com/go/nac
• For more information about Cisco WCS, visit: http://www.cisco.com/en/US/products/ps6305/index.html
• For more information, see the Cisco WCS Licensing and Ordering Guide at: http://www.cisco.com/en/US/products/ps6305/products_data_sheet0900aecd804b4646.html