Wednesday, March 28, 2007

Unified Wireless Guest Access: Prep'ing the Controller

Continuing on with my discussion of UW and Guest Access, I'd like to go into some detail about how to configure your master controller (the "nexus") to access the guest network. Before we continue we have to have an idea how we want to design our guest network. The goal of the guest network is to allow Internet access that is segemented from all other internal network resources. How this is developed is completely up to your implementation. I'll use our configuration as an example. Our existing guest access is handle through a non-routed VLAN that's switched via our L2 core. For the sake of examples... we'll say this VLAN is VLAN 125.

As I stated this is a non-routed VLAN that in our example will use the IP scheme of 192.68.1.X. The VLAN has a default gateway of, which is PIX 506E that has an outside interface on our Internet segment. All clients on this network are NAT'd through the PIX, completely seperate from our existing ASA cluster that's used for employees. This keeps the guest segment completely separate from our existing IP routing infrastructure. Here's an overview of the design.

Now let's get into how this is configured on the WLAN Controller. Please note that the configuration is being done on version of the WLC. The first step for creating a new WLAN is to create an interface on the controller for the clients. I'll be using the WLC GUI for the configuration. Go to CONTROLLER -> Interfaces -> New... This will bring you to the dialog to build in the new guest interface. Give the interface any name and tag the VLAN for the guest VLAN. So... in my example I'll use VLAN 125. Fill in the fields noted below.

The above image should explain this part of the configration for the most part. I'd just like to note the importance of the DHCP server option field. Ensure that you are placing the IP of the management interface of the controller. Using any other IP address on the controller will not work. Next lets build the DHCP pool that will be required for the clients. You have the option of using an external DHCP server, but we have opted to use the server local to the WLC. To access the DHCP options, click CONTROLLER -> Internal DHCP Server. Create a new scope and set the necessary options. I don't need to show this as it's very self-explanatory. Obviously we'll set the PIX as the "Default Router" and DNS is provided by an open DNS server on the Internet. You can use your own outside DNS server if you wish.

Our final step is to setup the WLAN... which for now will have no authentication. To create a WLAN... to to WLANs -> WLANs -> New... Give it an ID and the profile name can be "Open Access" and the WLAN SSID can be something like "Open Internet Access." This is the name of the WLAN that will be shown on the users laptops. Now lets get into the details. Note the options I have arrows next to.

Again... a pretty easy configuration. Once this step is complete you should be able to connect to your guest SSID and get Internet access. This is just the first step in providing Guest Access. In future posts I'll review enabling web authentication along with developing a customizable interface for users to register that ties into the WLC local user database. Leave feedback and let me know if you're unsure about anything or if I can help at all.

Tuesday, March 27, 2007

Unified Wireless: My Take on Guest Access

As I said in a previous post, I've been working on a Cisco Unified Wireless implementation. I gave a brief overview of UW (unified wireless) below, but I want to go into depth on the topic of Guest Access. The documentation is limited and I just want to take some time to share how I'm implementing Guest Access and the configuration required.

Guest Access is pretty much what it sounds like. It's taking your wireless infrastructure and allowing "guest" users to access it while keeping your existing UW infrastructure secure. This could be used to provide Internet access to vendors visiting your facilities, or could go beyond and actually act as a open hotspot for customers. The version of Guest Access I'm working on involves allowing guests at our corporate campus to use our Internet connectivity for presentations/remote VPN access. Our corporate campus is comprised of multiple facilities all linked over our private MPLS VPN cloud.

Let me go a little bit into the architecture behind the implementation. In our headquarters facility we have installed a Cisco 4402 Wireless LAN controller. This controller acts as the "nexus" for our Guest Access infrastructure, along with allowing secure access to internal network resources for mobile employees. Our satellite offices, also part of the corporate campus, are all connected via Cisco 2811 Integrated Services Routers. In these offices we will be using NM-WLC-6 network modules. Essentially these modules are Wireless LAN Controllers which sit on-board ISR routers.

I don't want to get too in-depth with Guest Access this first post. Let me leave with a quick diagram of how I've decided to implement Guest Access. In future posts I'll go into detail as to how this can be implemented. Keep in mind that my implementation may not be the same as yours, but the concepts I use may be shared amongst many implementations.

Thursday, March 22, 2007

CS-MARS v4.2.5(2456) Available!

To all those CS-MARS owners... Cisco has released a new version of CS-MARS. This update includes numerous signature updates, along with a slew of resolved caveats. Make sure to check out the details here before updating.

And in other news...our Clean Access project has been placed on hold to focus resources on a new Cisco Unified Wireless implementation. The budget money was available, so the equipment is here and the system is being developed. The unified wireless system focuses on extending security across your wireless network while enabling services that are normally available to only wired clients. Keep an eye out for details on our implementation... along with some in-depth discussion as to how we'll be handling guest access in the near future.

Tuesday, March 06, 2007

The World of Clean Access

Another update from the front lines of network security. I hope everyone has been well and keeping busy in this ever evolving market. While this blog does focus on CS-MARS... over the next few weeks you'll begin to see me post updates about "everything security at Cisco." My most recent project has me working on a terrific product from Cisco known as Clean Access (aka Cisco NAC Appliance). For those of you in the dark, NAC is a framework and methodology for network security in which security is no longer exclusively adapted in network infrastructure devices, but also end-user work stations.

Let me go into a little detail about Cisco Clean Access (CCA) and how it will be used in our environment. CCA is comprised of a Clean Access Manager (CAM) and Clean Access Server (CAS). The CAM dictates all the policies required to gain access to the network, while the CAS handles authentication of workstations and quarantining as necessary. Both are required components of a Clean Access implementation.

During our initial pilot we will be validating workstations from a remote office, along with select users in our headquarters facility. This brings up some issues that can all be solved based upon the CCA implementation that is selected. Now this update is just a brief overview of my most recent project... but expect updates soon about the infrastructure concepts involved in CCA and some of the configuration involved with the project. The resources on Clean Access are limited on the Internet, so I do want to dedicate a portion of this blog to this exciting product. Continue to expect updates about CS-MARS... along with other Cisco security updates.