© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta Kodukula SE DFW Cisco Users Group, April 6, 2011

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 2 1 The “Business Case” For Secure Guest Access 2 Cisco NAC Guest Server Overview 3 Deployment Options 4 Summary & Additional Resources 5 Demo Agenda

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 3 The Enterprise Hotspot  Provide network access to visitors  Presents a professional and secure access to visitors  Enable improved productivity from vendors and contractors  Strengthen collaboration between employees and partners Enterprises are the most important hotspot destination for business partners in a connected world. Provide Guest Access in a seamless, secure manner

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 4 Guest Access Considerations Ease of use Integration with network infrastructure Audit and accountability Cost Provisioning of user accounts Receptionist, help desk, any user Reduce infrastructure upgrades Avoid parallel network infrastructure Know who is doing what Know who created which account Cost of implementation Cost of ongoing management Security Meet security policy requirements Provide secure guest access

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 5 ROI - Cisco Internal Real World Example  400,000 Guests per year (and increasing)  $X per call to setup a guest (cost avoided)  Cost savings of $M/year by self provisioning January 05 April 08

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 6 NAC Guest Server Overview

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 7 Four Key Components of Guest Access GUEST The visitor who needs network access SPONSOR The internal user who wants to be able to provide internet access to their guest NETWORK ENFORCEMENT DEVICE Web re-direction, authentication and provides access. Wireless LAN Controller or NAC Appliance NAC GUEST SERVER Enables sponsor to create guest account; audits; provisions account on network enforcement device

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 8 Managing the Guest User Lifecycle PROVISIONING MANAGEMENT NOTIFICATION REPORTING Create Guest Accounts Manage Guest Accounts Give Accounts to Guests Report on Guests Create a single Guest Account Create multiple Guest Accounts by Importing a CSV file Print Account and Access Details Send Account Details via Send Account Details via SMS View, edit or suspend your Guest Accounts Manage batches of accounts you have created View audit reports on individual Guest accounts Display Management reports on Guest Access

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 9 Provisioning  Who should create user accounts? Receptionist/Lobby Ambassador IT Security Managers Help Desk Any Employee  NAC Guest Server lets you choose based upon your security policy  Allowing any employee to create accounts provides increased usage and will be just as secure  Reduced Cost  Full Audit Trail  Speed of access  Ease of use

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 10 Sponsor Portal  Customizable Web Portal for internal sponsors  Authenticate with corporate credentials Local Database Active Directory LDAP RADIUS Kerberos

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 11 Sponsor Single Sign On  Integrates with Active Directory  Supports all windows authentication mechanisms including:  username/password  Smart Card  Biometrics etc. Log in to Windows Automatic Authentication to NAC Guest Server

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 12 Creating Guest Accounts 3. Add user 2. Specify start and end times 1. Enter user details

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 13 Username Policy AddressFirst/Last NameRandom

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 14 Guest Password Policy AlphabeticNumericSpecialChoice of characters and length

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 15 Flexible Time Policies  Create accounts by: - Start/End Time - Usage from first login - For example account valid for 1 hour from first login - Usage within a certain period - For example account valid for 2 hours within 24 hours from first login  Account Restrictions -Set times when guest cannot login, such as outside office hours Provides complete flexibility for when you want to allow guest access

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 16 Notification: Guest User Account Delivery Send account information via print-out, , or SMS

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 17 Audit and Reports Sponsor Information Account Management Guest Information Visibility and Management of Guest Users

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 18 Guest Activity Reporting Internet Username: guestname IP Address: Login Time: 15:05 Logout Time: 14:30 15: accessed 15: used the bittorrent protocol 15: connected to vpn.mycompany.com Consolidated Audit Report of Guest Activity

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 19 Detailed guest audit information  When they logged in  Where they logged in  The guests address  What they did  What was allowed  What was disallowed

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 20 NAC Guest Server Deployment Options

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 21 Network Enforcement Devices Network Enforcement Devices control the guest user Deliver the automatic redirect to a captive portal Authenticate the user against the Guest Server Enforce the Users Access Privileges Records Network Access Information  Cisco NAC Appliance for Secure Guest Access  Cisco Wireless LAN Controllers  Cisco Catalyst Switch

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 22 Customizable Portals Welcome to our guest hotspot! Fully customize this page and add the widgets you want! Login Credit Card Guest Self Registration Password Change

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May Sponsor creates account on the NAC Guest Server NAC Guest Server 2. Sponsor gives the credentials to the guest via print-out, or sms NAC Guest Server Walkthrough 3. Guest authenticates with the web portal from NGS which authenticates the guest by RADIUS to the NGS Wireless LAN Controller RADIUS NAC Guest Server

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May If auth is successful the guest is given Internet access Wireless LAN Controller 5. Wireless LAN Controller and Firewalls provide audit information to the NAC Guest Server 6. When the account expires the Wireless LAN Controller logs off the guest NAC Guest Server Walkthrough Internet

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 25 Wireless Only Deployment Sponsored Guest Cisco NGS Guest Server Wireless LAN Controller Internet LAN\Wan Active Directory * Employee Wireless uses separate SSID providing higher security and full network access Optional Easiest to deploy; least design impact Broad use-case

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 26 Add Secure Wired Access in Public Spaces Sponsored Guest Cisco NGS Guest Server Wireless LAN Controller Employee Internet Parity for Wired / WLAN Conference Room Ports LAN\Wan Enabling this feature may have impact to network design and configuration changes. Employee wired access on these ports becomes limited to internet in this scenario Active Directory * Employee Wireless uses separate SSID providing higher security and full network access Optional

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 27 Complete Guest and Employee Secure Network Access Sponsored Guest Wireless LAN Controller Internet Parity for Wired / WLAN Switch Enabling this feature on switch ports leverages similar 802.1X PEAP solution typical of Enterprise Wireless authentication. Active Directory Employee 802.1X/MAB Compatibility * Employee Wireless uses separate SSID providing higher security and full network access LAN\Wan SSC Employee 802.1X MAB Cisco NGS Guest Server

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 28 Application Programming Interface  Open Web API for use by custom applications  Example applications: Visitor Management Systems (Automatically create guest accounts) Hotel Property Management Systems (Provision at guest check-in) Identity Management System (Single portal for all accounts)

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May Costing Summary ProductHardwareSoftwareHW/SW Maintenance NAC3315-GUEST-K9$24,995 (list)Included$3,989 (sntp) Above does not include Implementation planning and deployment

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 30 MANY Variations  Different Designs  Different Network Enforcement Devices  Different Authentication Methods  Different Auditing/Tracking Requirements NAC Guest Server with Wireless Guest Access Provides easy yet secure solution NAC Guest Server is the primary tool to meet requirements of most guest access solutions

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 31 DEMO

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNAC_BDM_May 32