Wired Guest Access with Both Anchor and Foreign as 5760 WLC
Table of Contents
Introduction
Deployment Scenario
Topology
OPENAUTH
Guest Anchor Configuration
Foreign Configuration
WEBAUTH
Guest Anchor Configuration
Foreign Configuration
WEBAUTH Command O/P Example
Foreign
Anchor
Introduction
Deployment Scenario
Topology
OPENAUTH
Guest Anchor Configuration
Foreign Configuration
WEBAUTH
Guest Anchor Configuration
Foreign Configuration
WEBAUTH Command O/P Example
Foreign
Anchor
Introduction
This document covers deployment of the wired guest access feature on a Cisco 5760 Wireless LAN Controller (WLC) which acts as a foreign anchor and a Cisco 5760 WLC which acts as a guest anchor in the Demilitarized Zone (DMZ) with Version 03.03.2.SE Release Software. The feature works in a similar fashion on a Cisco Catalyst 3650 switch which acts as a foreign controller.
Today, solutions exist for the provision of guest access through wireless and wired networks on the Cisco 5508 WLC. In enterprise networks, there is typically a need to provide network access to its guests on the campus. The guest access requirements include the provision of Internet connectivity or other selective enterprise resources to both wired and wireless guests in a consistent and manageable way. The same WLC can be used to provide access to both types of guests on the campus. For security reasons, a large number of enterprise network administrators segregate guest access to a DMZ controller via tunneling. The guest access solution is also used as a fallback method for guest clients that fail dot1x and MAB authentication methods.
The guest user connects to the designated wired port on an access layer switch for access and optionally might be made to go through Web Consent or Web Authentication modes, dependent upon the security requirements (details in later sections). Once guest authentication succeeds, access is provided to the network resources and the guest controller manages the client traffic. The foreign anchor is the primary switch where the client connects for network access. It initiates tunnel requests. The guest anchor is the switch where the client actually gets anchored. Apart from the Cisco 5500 Series WLAN Controller, the Cisco 5760 WLC can be used as a guest anchor. Before the guest access feature can be deployed, there must be a mobility tunnel established between the foreign anchor and the guest anchor switches. The guest access feature works for both MC (Foreign Anchor)>> MC (Guest Anchor) and MA (Foreign Anchor)>>MC (Guest Anchor) models. The foreign anchor switch trunks wired guest traffic to the guest anchor controller and multiple guest anchors can be configured for load balancing. The client is anchored to a DMZ anchor controller. It also handles the DHCP IP address assignment as well as authentication of the client. After the authentication completes, the client is able to access the network.
Contributed by Joseph Vasanth Louis, Cisco Engineering.
Deployment Scenario
This document covers common use cases where the wired clients connect in order to access switches for network access. Two modes of access are explained in different examples. In all of the methods, the wired guest access feature can act as a fallback method for authentication. This is typically a use case when a guest user brings an end device that is unknown to the network. Since the end device is missing the endpoint supplicant, it fails the dot1x mode of authentication. Similarly, the MAB authentication also fails, as the MAC address of the end device is unknown to the authenticating server. Note that in such implementations, corporate end devices successfully get access since they either have a dot1x supplicant or their MAC addresses in the authenticating server for validation. This allows for flexibility in deployment, as the administrator does not need to restrict and tie up ports specifically for guest access.
Topology
This diagram shows the topology used in the deployment scenario.
OPENAUTH
Guest Anchor Configuration
Complete these steps:
- Enable IPDT and DHCP snooping on client VLAN(s), in this case VLAN75. The client VLAN needs to be created on the guest anchor.
ip device tracking
ip dhcp relay information trust-all
ip dhcp snooping vlan 75
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
- Create the VLAN 75 and Layer 3 VLAN interface.
vlan 75
interface Vlan75
ip address 75.1.1.1 255.255.255.0
ip helper-address 192.168.1.1
ip dhcp pool DHCP_75
network 75.1.1.0 255.255.255.0
default-router 75.1.1.1
lease 0 0 10
update arp
- Create a guest LAN that specifies the client VLAN with the 5760 itself that acts as the mobility anchor.
For openmode, the no security web-auth command is required.
guest-lan GUEST_LAN_OPENAUTH 3
client vlan 75
mobility anchor
no security web-auth
no shutdown
Foreign Configuration
- Enable DHCP and create a VLAN. As noted, the client VLAN does not need to be set up on the foreign.
ip dhcp relay information trust-all
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip device tracking
- The switch detects the MAC address of the incoming client on the port-channel configured with "access-Session port-control auto" and applies the subscriber policy "OPENAUTH". The "OPENAUTH" policy as described here should be created first:
policy-map type control subscriber OPENAUTH
event session-started match-all
1 class always do-until-failure
2 activate service-template SERV-TEMP3-OPENAUTH
3 authorize - Configure MAC learning on the foreign for VLAN.
mac address-table learning vlan 19
- The OPENAUTH policy is referred to sequentially which in this case points to a service, the template named "SERV-TEMP3OPENAUTH" as defined here:
service-template SERV-TEMP3-OPENAUTH
tunnel type capwap name GUEST_LAN_OPENAUTH - The service template contains a reference to the tunnel type and name. The client VLAN75 only needs to exist on the guest anchor since it handles the client traffic.
guest-lan GUEST_LAN_OPENAUTH 3
client vlan 75
mobility anchor 9.7.104.62
no security web-auth
no shutdown
- The tunnel request is initiated from the foreign to the guest anchor for the wired client and a "tunneladdsuccess" indicates that the tunnel buildup process completed.
On the ACCESS-SWITCH1 a wired client connects to the Ethernet port that is set to access mode by the network administrator. It is port GigabitEthernet 1/0/11 in this example:
interface GigabitEthernet1/0/11
switchport access vlan 19
switchport mode access
WEBAUTH
WEBAUTH
Guest Anchor Configuration
- Enable IPDT and DHCP snooping on client VLAN(s), in this case VLAN75. The client VLAN needs to be created on the guest anchor.
ip device tracking
ip dhcp relay information trust-all
ip dhcp snooping vlan 75
ip dhcp snooping information option allow-untrusted
ip dhcp snooping - Create the VLAN 75 and Layer 3 VLAN interface.
vlan 75
interface Vlan75
ip address 75.1.1.1 255.255.255.0
ip helper-address 192.168.1.1
ip dhcp pool DHCP_75
network 75.1.1.0 255.255.255.0
default-router 75.1.1.1
lease 0 0 10
update arp
- Create a guest LAN that specifies the client VLAN with the 5760 itself which acts as the mobility anchor.
For openmode, the "no security web-auth" command is required.
guest-lan GUEST_LAN_WEBAUTH 3
client vlan VLAN0075
mobility anchor
security web-auth authentication-list default
security web-auth parameter-map webparalocal
no shutdown
Foreign Configuration
- Enable DHCP and the creation of VLAN. As noted, the client VLAN does not need to be set up on the foreign.
ip dhcp relay information trust-all
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip device tracking
- The switch detects the MAC address of the incoming client on the port-channel configured with "access-Session port-control auto" and applies the subscriber policy "WEBAUTH". The "WEBAUTH" policy as described here should be created first.
policy-map type control subscriber WEBAUTH
event session-started match-all
1 class always do-until-failure
2 activate service-template SERV-TEMP3-WEBAUTH
3 authorize
- MAC learning should be configured on the foreign for VLAN.
mac address-table learning vlan 19
- Configure RADUIS and the parameter map.
aaa new-model
aaa group server radius rad-grp
server Radius1
dot1x system-auth-control
aaa authentication dot1x default group rad-grp
radius server Radius1
address ipv4 172.19.45.194 auth-port 1812 acct-port 1813
timeout 60
retransmit 3
key radius
parameter-map type webauth webparalocal
type webauth
timeout init-state sec 5000
- The "WEBAUTH" policy is referred to sequentially which in this case points to a service, the template named "SERV-TEMP3WEBAUTH" as defined here:
service-template SERV-TEMP3-WEBAUTH
tunnel type capwap name GUEST_LAN_WEBAUTH
- The service template contains a reference to the tunnel type and name. The client VLAN75 only needs to exist on the guest anchor since it handles client traffic.
guest-lan GUEST_LAN_WEBAUTH 3
client vlan 75
mobility anchor 9.7.104.62
security web-auth authentication-list default
security web-auth parameter-map webparalocal
no shutdown
- The tunnel request is initiated from the foreign to the guest anchor for the wired client and a "tunneladdsuccess" indicates that the tunnel buildup process completed.
On the ACCESS-SWITCH1 a wired client connects to the Ethernet port that is set to access mode by the network administrator. It is port GigabitEthernet 1/0/11 in this example:
interface GigabitEthernet1/0/11
switchport access vlan 19
switchport mode access
WEBAUTH Command O/P Example
Foreign
FOREIGN#sh wir client summary
Number of Local Clients : 2
MAC Address AP Name WLAN State Protocol
-------------------------------------------------------------
0021.ccbc.44f9 N/A 3 UP Ethernet
0021.ccbb.ac7d N/A 3 UP Ethernet
ANCHOR#sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
19 0021.ccbc.44f9 DYNAMIC Po1
19 0021.ccbb.ac7d DYNAMIC Po1
FOREIGN#sh access-session mac 0021.ccbc.44f9 details
Interface: Port-channel1
IIF-ID: 0x83D880000003D4
MAC Address: 0021.ccbc.44f9
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 0021.ccbc.44f9
Device-type: Un-Classified Device
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 090C895F000012A70412D338
Acct Session ID: Unknown
Handle: 0x1A00023F
Current Policy: OPENAUTH
Session Flags: Session Pushed
Local Policies:
Service Template: SERV-TEMP3-OPENAUTH (priority 150)
Tunnel Profile Name: GUEST_LAN_OPENAUTH
Tunnel State: 2
Method status list:>
Method State
webauth Authc Success
Anchor
#sh wir client summary
Number of Local Clients : 1
MAC Address AP Name WLAN State Protocol
-----------------------------------------------------------
0021.ccbc.44f9 N/A 3 WEBAUTH_PEND Ethernet
0021.ccbb.ac7d N/A 3 WEBAUTH_PEND Ethernet
ANCHOR#sh wir client summary
Number of Local Clients : 2
MAC Address AP Name WLAN State Protocol
------------------------------------------------------
0021.ccbc.44f9 N/A 3 UP Ethernet
0021.ccbb.ac7d N/A 3 UP Ethernet
ANCHOR#sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
19 0021.ccbc.44f9 DYNAMIC Po1
19 0021.ccbb.ac7d DYNAMIC Po1
ANCHOR#sh wir client summary
Number of Local Clients : 1
MAC Address AP Name WLAN State Protocol
-------------------------------------------------
0021.ccbc.44f9 N/A 3 UP Ethernet
0021.ccbb.ac7d N/A 3 UP Ethernet
ANCHOR#sh access-session mac 0021.ccbc.44f9
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Ca1 0021.ccbc.44f9 webauth DATA Auth 090C895F000012A70412D338
ANCHOR#sh access-session mac 0021.ccbc.44f9 details
Interface: Capwap1
IIF-ID: 0x6DAE4000000248
MAC Address: 0021.ccbc.44f9
IPv6 Address: Unknown
IPv4 Address: 75.1.1.11
User-Name: 0021.ccbc.44f9
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 090C895F000012A70412D338
Acct Session ID: Unknown
Handle: 0x4000023A
Current Policy: (No Policy)
Method status list:
Method State
webauth Authc Success