CCNA Wireless Training :: Wireless Guest Networks

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so last WLAN security topic is going to be talking about guests networking so we'll focus this in on the unified wireless network guest networks typically contain one or more of the following components so guesses I should step back and say guest it's basically any time we want to provide network connectivity to non corporate people so visitors coming in you know customers or whatever it's going to be but sort of the defining thing about a guess is that they have connections on devices that you don't control so if you don't control devices you don't know whether they use antivirus you don't know if they're patching you don't know if they have infections a virus or malware so you generally want to be protecting your network from these or we're kind of segregating these guests over onto a separate network that we can control and protect our internal assets from these guest devices the other thing that we need to focus in on with guests is that we need to make the network pretty easy to access because one obviously we're not configuring profiles on the client devices so we don't want any fancy security stuff going on we don't know how good the people are at configuring their stuff so we want to keep it as basic as possible so a classic guest type network sort of looks like this any combination of these types of things the network is an open network so on the layer two security policy we choose none we're not doing web we're not doing WPA pre sure keys eat nothing open network makes it really simple we then probably have some layer three authentication which means when they connect up to the network and they try to get to a webpage we redirect them to some sort of different web page and we have two basic types of web pages we can redirect them to one that's a web authentication page which means we're only going to let them on if they supply a valid username and password and then we would have to make sure that you know they learn the username and password either it's a shared password that everyone uses or it could be a little more fancy where each guest that comes in gets their own unique username password whichever way you want to play it the other type of web page we can redirect them to is referred to as a pastor page or an acceptable use policy page they don't have to provide a username password here but we do want to redirect them and at least you know give them a little corporate spiel and say do you agree to the Terms of Service or whatever it is and they say yep I agree that's what we want to just sort of cover our butts legally or whatever it's going to be so web auth username password pass-through or acceptable use page no username password then we're going to be placing them on some sort of a segregate guest VLAN of some sort so that we can apply policy on that VLAN and then we may be doing some sort of an auto anchor scenario where we tunnel these guests all the way out to our DMZ as opposed to dropping them off internally on our internal network here so we can understand how these different components work as well as the guest access progression so rather than try to have bullet points about this I'm going to configure this in front of you show you how it all works watch a client connect up and just sort of to see how things operate with a guest network okay so the type of gas network we'll design will end up looking like this so I have some ApS on WLC - this will be our internal controller also refer refer to as the foreign controller we're going to do that Auto anchor scenario will tunnel that to WLC one which will be our DMZ controller so we'll pretend it's lives in the DMZ it's also referred to as the anchor controller and then the client will drop off on the VLAN well go ahead and put them on VLAN 11 will redirect them to a web page we'll do a web authentication which ends up being hosted on wireless LAN controller 1 and then we'll sort of watch the progression here so how can we you know put all the pieces in place to get is configured well let's just take a quick look at W LAN controller wc1 wc2 right now W LC 1 does not have any access points on it which would be very typical of a DMZ type controller WLC 2 does have a couple of access points on so this is our internal controller if I look at my controller interfaces for dynamic interfaces I do not have VLAN 11 on my internal controller and that's fine I don't need it there I do need VLAN 11 on my anchor controller so let's go ahead and configure that so create a new dynamic interface place it on VLAN 11 assign it to some ports so let's say primary port 1 back up port 2 we need an IP address on the interface so some unused IP address on the VLAN default gateway and a DCP server to use my switch the default gateway the switch should be set up for DHCP services so I'll target that ok if I want to tunnel up these W LANs one of the requirements I have is that they need to be in each other's mobility domain list so let's go ahead and look at our mobility group list or domain lists you'll see referred to as either way alright so they're not in there right now we just have the local entry in the group list so I need to add them together so all I need to do is choose new and I just need to populate the information about controller 2 so I could just copy the MAC address copy the IP address of controller 2 and then the mobility group name apply so I could do it like that I can also do this process where I do an edit all and I can sort of copy/paste within these text boxes one of my personal favorites and I just need to add in the mobility group name because we need all three pieces of information MAC address IP address mobility group both ways just get the same job done okay so now they're in each other's lists eventually I want to see the status move into a state of up which hopefully eventually will it just takes a few minutes to make this happen so okay we got the control plane up shortly we should move into a fully up state so I'll keep on going and assume this is going to complete okay next step let's go ahead and configure the WLAN and we need to configure the W land on both controllers one we needed on the foreign or internal controller because that's what's going to advertise it to the access points so I absolutely need it there and then we need it on the controller one so we can reference it as we tunnel the clients between the controllers so one of the big rules when doing this Auto Inc or tunneling is when I configure my SS IDs they need to be configured extremely identically with very very few exceptions so I'll try to tell you the exceptions as we go along so I'm just going to be kind of configuring it in both controllers one screen at a time so I'll go ahead and just call it guest pod one one the ID number can be different that's okay the WLAN ID number does not have to match so in this case it doesn't match and that's fine okay so we'll just keep this pretty simple turn it on the interface does not have to match because very often we have different interfaces between an internal controller and an external controller so I'm the internal controller just leave it at management that's fine because it's the configuration on the anchor controller that determines where is this client going to drop off on to so I'll go ahead and say we're going to drop this client off on VLAN 11 on the anchor controller okay security this definitely needs to match up so on a layer two we're going to do an open network which means none layer three we'll go ahead and do a web authentication so I turn on web policy and choose authentication again web policy authentication and I'm just going to leave everything else as is but definitely everything in here the same everything on the Advanced tab has to be the same security you know I think triple-a servers might be we could specify different radius servers that might be one difference but as much as you can make everything as the same as possible otherwise we're going to run the problems so we'll save okay now we need to link these up so at at the moment we just have two controllers that happen to have the same W line configuration but we don't have that auto anchoring configured so once I have my Debby land from the W lands list if I go all the way over to the right to the blue box I'm going to choose mobility anchors so on the internal controller the foreign controller you know we're trying to tell okay who's the anchor controller so 1010 111 10 is the anchor which is wireless LAN controller one mobility anchor create this tells controller to to send the clients out to controller one on controller one I need to do a similar configuration I need to say we're doing mobility anchoring so you need to expect these mobility you know these client sessions being sent to you who's the anchor switch well controller one is so we choose local if we neglect to do this on controller one controller to you know it would try to send the entries over to controller one but controller one would be like I don't I don't want that I'm not configured to do auto anchoring so you need to configure it on both sides alright so at this point we are almost ready to go one another thing I need since I'm doing a web off W LAN we need some sort of username password to authenticate with so you'll find that under security local net users and then we'll create a new one and I'll just call it guest with the password of guest okay so what did we all do we got my interface configured on WLC one we configured controller one and controller two in each other's mobility group list and let's see if the the tunnel or the the link came up all the way up we got all the way up to a status of up on both sides hopefully yeah we can figure the same w land on both once the W Leon was configured we configure the mobility anchors and then I configured a username password to use for the web authentication so I believe at this point WLAN controller 2 should be advertising this guest network we should be able to connect up to it so let's go ahead and give it a shot and we can watch the progression of the guest authentication so over here I have a Wi-Fi client it is using any connect so this little icon right over my shoulder here is the any connect icon so this is my supplicant all right so here's guest pod 1 I'm seeing it advertised connecting to it acquiring IP address so this should be tunneling you need to controller 1 controller 1 is dropping me off on VLAN 11 and there I pulled an IP address of 10 10 11 . 150 so I pulled an IP address on VLAN 11 like I thought I should now let's take a look at what things look like on the controllers so I'm going to see a client session on both controller 2 and controller 1 the foreign and the anchor controllers but they look a little bit different so there's my client session on controller 2 let's get it up on controller 1 ok so on controller 2 this is the foreign controller this is the controller that has the access point that I'm associated up to so I can see some you know general information what's my MAC address what's my IP address what interface am I being dropped off onto but this doesn't really apply since I'm being tunneled up to the DMZ controller one important thing I'm looking for the mobility role is export foreign so what we have is this forced layer 3 roam WLC 2 is the foreign controller WLC ones the your controllers that's why I see export foreign as the client mobility role and then I can see okay who's the anchor 10/10 that one 11.10 so this is where the other end of that Yeoh IP tunnel is and the policy manager state is a run now our run state is actually the the final working state that a client gets do so once the client has connected up fully authenticated it makes its way to a run State this is one difference we're going to see from the foreign controller to the anchor controller the forward controller thinks everything's all perfect now you know this clients good as far as I'm concerned let's go to the anchor controller and look at some differences so anchor trill are you guys see the MAC address in IP we see that as dropping it off on VLAN eleven and this is the one that counts we see it has the export anchor mobility we're also it's got the anchor entry who's the pier though I can see the pier is Wireless LAN controller to the policy manager state is web off required so we're waiting for the client to go through the web off process before we move it into that final run State on the anchor controller so this is really the first state that we settle into once we get connect up and get our IP address on the anchor controller why woth required now a client in this Web author acquired state is very limited in what it can do all it can do is you know pull an IP address so it can do DHCP type functionality which you know we saw that it worked it pulled an IP address and it can do dns resolutions that's it I can't do anything else on my client so if I went to my client and try to do something like a ping you'll see it's not going to work scroll up here so I'll try ping my default gateway 1010 11.1 no that's not going to respond because I'm in this sort of restricted State one thing I can do is I can do a DNS lookup so let's see if I learned DNS information Oh what would be alright so I did get a server at about ten minutes GUP Cisco - cap lab - controller think I still have that entry in there now if I type it right Proctor labs calm there we go so I was able to do a DNS resolution I resolved Cisco cap wife controller - Proctor labs com2 10/10 112 - that's the extent of what I can do oops sorry DHCP DNS so what's going to happen how do I progress forward my client needs to open up a web browser now normally what we have to do would be to resolve the IP address of of some sort of DNS name and I have a DNS name so why don't I try - that's probably not going to work we'll try HTTP Cisco - Capp grab - controller at Procter Labs calm ultimately what we have to do is it has to be an HTTP request it has to be a port 80 requests HTTP will not induce a web redirect so it has to be HTTP and it has to be a DNS resolver bol IP address so it has to be a DNS address that actually has to resolve correctly to an IP address what's going to happen is the controller is going to intercept that deets the the DNS resolution result and instead of sending it to the web page at once it'll change the result and send it to the internal web engine on the controller so we'll see if this works I haven't ever tried this normally I don't have a DNS entry as I'm going through scenarios like this so this this is working though all right so I resolve Cisco camera after controller at Procter Labs comm is trying to do a web redirect now the web page is an HTTP web page that redirects - and my browser doesn't like the the search so I get a sort warning I'll just go ahead and click through that cert warning and then here is the web authentication page so I just need to supply some correct credentials here once I log in correctly submit now I should move into a run state so if I go back to my anchor controller and refresh there we go I successfully authenticated now I'm in a run State now my client can do whatever I'm allowed to do on that VLAN so I go back and now I should be able to complete that ping I still have to retype it in Eng 10th and 11th at 1:00 there we go are my restrictions have been lifted since I'm no longer in that web off required State so from the client perspective just to rehash that the client needs to pull an IP address which can do it needs to learn about a DNS server and a DNS suffix because it needs to do a DNS resolution in order for this to work pull up a web browser go to any HTTP page port 80 web page and type in a DNS name that resolves to an IP address the controller intercepts the DNS resolution response instead sends them over to the internal web page you'll notice the IP address at the top of this page well if you saw it before it was actually the IP address of my virtual interface IP so the virtual interface is the target of our web redirect we type in our username password hit submit as long as I was successful we move into a run state and my restrictions are lifted I can talk to whatever this VLAN allows me to talk to so that would be configuring the guest network as well as the progression of the guest authentication and how to make it work from the client perspective
Info
Channel: IPexpertInc
Views: 111,386
Rating: 4.9134197 out of 5
Keywords: Cisco Career Certifications, CCNA (Field Of Study), CCNA Wireless, CCNA Wireless Training, CCNA Wireless Training Video, iPexpert, Cisco Wireless
Id: Ve7PEl0ZiDg
Channel Id: undefined
Length: 19min 37sec (1177 seconds)
Published: Thu Mar 13 2014
Related Videos
CCIE Wireless Training Video :: Guest Networks
IPexpertInc
39K
Cisco Wireless LAN Controller (WLC) Interface Groups
Keith Barker
13K
I Keep Buying Alibaba, Here's Why...
Joseph Carlson After Hours
25K
Wi-Fi, WLAN, WLC - Get (free) Hands On | Cisco CCNA 200-301
Keith Barker
71K
CCIE Wireless Lab Training Video :: CAPWAP AP Controller Discovery Process
IPexpertInc
83K
Cisco WLC Configuration and SSID Broadcast and Authentication ( Day 75)
Ajay Grewal
21K
Port Forwarding Explained
PowerCert Animated Videos
1.6M
WiFi-Net#01: Setup Cisco Wireless Controller (WLC)
SASiteNet
64K
Internal Web Authentication with Cisco WLC
Cisco Community
64K
Configuring Basic MPLS/L3VPN
XtremeIE
52K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
1.2M
Cisco 9800-L Wireless Controller Overview and Setup
Cisco Sal
33K
Central Web Authentication with WLC, ISE, FlexConnect Local Switching
Cisco Community
55K
How to Create a Guest WLAN on Cisco WLC
Cisco Networking
22K
Edited Recording: Wireless Quiz, Tutorial, & Demos | Cisco CCNA 200-301
Keith Barker
3K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.