Configure OpenRoaming in the Cisco Catalyst 9800

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey everyone welcome to how to configure openroaming on the cisco catalyst 9800 my name is justin liu a technical marketing engineer here in cisco's enterprise network wireless bu today we're going to go over what open roaming is and how it works then we'll go over how to enable this on your catalyst 9800 access network before we get started please ensure that you have already added the dna spaces connector and 9800 wlc to your dna spaces account and ensure you have at least the dna spaces c license in order to enable open roaming if you have not please watch the dna spaces 101 episode 2 video where we'll cover how to do this you can find this video in the description below so why do we need open roaming well there's been a push from device vendors for randomize and changing mac addresses or rcm when joining a wireless network to prevent user tracking when using mac address the end devices will generate a new mac address whenever they join a new ssid and some devices will even generate a new mac address when joining the same ssid so the issue lies in how can network operators balance the privacy goals of the user with their own network operation goals with rcm this will impact network operations like the captive portal proximity reporting and analytics data and applications due to the mac address changing returning visitors to the network will be reported as a new device so this will cause them to be redirected to the captive portal many times also this will have an adverse effect on the proximity reporting as the devices identified by mac will also be listed multiple times and this will also affect guest metrics such as dwell time and visitor count to help solve this openroaming provides a way to generate a device id to identify devices while also giving users a way to prevent their real identities from being shared with the wireless network provider also open roaming will provide seamless and secure guest onboarding experiences because traditionally guest wireless networks have been open networks that sometimes first show the user a captive portal or they will have to enter in their information before they can access the network on open networks your data is not secure and unless you use something like a vpn you're always at risk and while using the captive portal these are often cumbersome and sometimes do not trigger causing the users to be caught in limbo where they're connected to the wi-fi network but they actually cannot access anything with openroaming the user devices will use an open roaming profile installed on their device to automatically join an 802.1x secured wireless network providing users a secure connection while bypassing the need for a captive portal so now that we know some of the reasons why we have open roaming let's see how it works open roaming is a consortium of identity and access providers to enable seamless roaming and onboarding for user devices access providers are the wireless networks that you would connect to like those at hospitals retail locations and hotels while identity providers authenticate the device to ensure they are valid users who can access the network open roaming is under the wba and provides the access providers with the ability to reach all the identity providers and all the identity providers a way to reach all the access providers and how is this done this is done through abstraction so let's think of a credit card everyone uses a credit card because every store takes it and every store takes it because everyone carries a credit card with the credit card the stores do not need to have a relationship with every bank they only need to create an abstraction the credit card the banks join a credit card and the stores use that credit card allowing any store to connect to any bank this is exactly what open roaming is it allows any identity provider to be used by any access provider so now let's see a typical open roaming journey to see how this works so first the access network and identity provider or idp will need to onboard to the open roaming federation during onboarding the access provider and idp receive certificates from ecosystem brokers like cisco these prove their identity and verify the assets they own like the access network or a set of identities this allows for the access network and idp to authenticate each other when they communicate next the idp configures dns so it can be discovered in the identity federation the access network then configures its wireless network to use 802.1x authentication and to leverage hotspot 2.0 and 802.11u protocols to advertise to end devices that it supports open roaming and to let devices know which identities it accepts now when a user roams into range of the axis network if the device has an identity that is accepted by the network we'll then use that to join the ssid eep is used to secure the credentials sent from the client to the access network and this is typically eep tls ttls or aka and the identity will be decorated with a realm such as cisco.com the access network will then use the realm and dns to dynamically discover the idp it will then create a tls tunnel to the idp with the certificates downloaded from the ecosystem broker and the access request will be sent via radsec to the idp if the user is valid the idp will return the access accept to the access network as well as the identity of the user if the user had chosen this now the device will be able to access the network today we'll be focusing on the access network and this is made up of three components the 9800 controller the access points which can be the catalyst 9100 series aps as well as our wave 1 and wave 2 aps and finally the dna spaces connector the controller and aps define the hotspot 2.0 and open roaming compatible 802.1x networks as well as receiving the client join requests and then forwarding these requests to the dna spaces connector the connector serves as a radius proxy for the network it will dynamically discover the idp and forwards all the radius requests to the idp over ratsec so now let's go configure open roaming on our catalyst 9800 network so there'll be five main steps to configure open roaming first you'll have to add the dna spaces connector as a triple a target on the catalyst 9800 next we'll have to configure the open roaming wlan and then we'll enable the open roaming hotspot connector on the dna spaces connector then we'll configure the open roaming hotspot anqp server and finally we'll enable open roaming for the wlan once that's done we'll verify the connectivity of our newly created open roaming network so now that we're in the web ui of the 9800 let's go configure the dna spaces connector as a aaa target for our network to do this we'll go to configuration security aaa so now under the server slash groups tab under radius servers i'm going to click add and then for the name i'm just going to say open roaming connector and then for the server address we'll put the ip address or hostname of the dna spaces connector next for the key this will be radsec as shown on the screen r-a-d-s-e-c all lower case and then and then we'll click apply to device now we'll apply this radius server to a server group so we'll click server groups and then click add i'm going to name this open roaming group and then for mac delimiter we're going to set this to hyphen and then for the source interface vlan if you have a specific vlan that has connectivity to your dna spaces connector choose that i'm going to choose vlan id12 and then select the open roaming radius server and then apply that to the assigned servers and click apply to device now we'll apply this radius server group to aaa method lists first for under authentication we'll click add and here name this whatever you need to name this i'm going to name this open roaming authentication and then for type i'm going to choose dot 1x and leave group type as group now i'll select the open roaming server group and apply that to the assign server group and click apply to device now we'll go to authorization and click add i'm going to name this open roaming authorization and then for type i'm going to choose exec and leave group type as group next i'm going to select the open roaming server group and apply the assign server group and click apply to device lastly we'll go to accounting and click add i'm going to name this open roaming counting and then for type i'm going to choose identity and then choose the open roaming server group apply to assign server groups and click apply to device now we'll go to aaa advanced tab and under global config show advanced settings ensure that the called station id for both accounting authentication is ap mac address ssid and then click apply to device so now that it's saved let's go configure our open roaming wlan to do this we'll go to configuration tags and profiles wlans next we'll click add here name the wlan whatever you need to name it and then the ssid will also auto populate so you can change that as well next set the status to enabled also ensure that broadcast ssid is enabled or devices will not join the open roaming network next we'll go to the security tab and under layer 2 choose your preferred layer 2 security mode i'm going to leave it as wpa plus wpa2 then we'll scroll down to the auth key management and ensure that 802.1x is enabled next we'll scroll up and go to the aaa subtab and here for the authorization list select the open roaming authentication list that we created earlier and click apply to device so now that we've created the open roaming wlan we'll go to the dna spaces dashboard to configure the open roaming hotspot connector for our dna spaces connector so now that we're in the dna spaces dashboard let's go open the open roaming app to do this you can either click on the open roaming tile under c apps or if you go to the top right and go the app selector you can also choose open roaming here i've already configured open roaming previously so i'm redirected to an open roaming statistics page however if this is your first time you'll be redirected to an open roaming getting started page to access this you can actually go click the hamburger menu and click get started so regardless of where we were redirected let's go access the setup page to do this we'll go back to the hamburger menu and click setup on the setup page there are three main steps we have to first create an open roaming profile and then set up a hotspot enabled connector and then finally we'll do the network configuration so let's go create our open roaming profile this will define the types of identities which are accepted by our access network as well as defining any service provider offload settings for the network so to do this let's first click create open roaming profile now in the window let's click proceed and here is the access policies so this will be the types of users that can access the open roaming network the identities are all authenticated users which is default except only users that provide a real identity to the access network by sharing their email accept users with specified identity types as well as accept only your users but you'll be needed to add as an identity provider for the specified user types you can choose whether or not you want like device manufacturer id or cloud social id as well as toggling whether or not you want them to provide a real identity so for example i can select all identity types and then toggle i want to require real identities in my case i'm going to leave this as default except all authenticated users next you can set preferred credentials so if you prefer credentials from your domain you can set that here so all you have to do is check i have preferred credentials and then in the drop down domain go select the available domains here and if you do not see yours you can click add custom domain enter the domain click save and add and click add to save the domain but i'm going to click i do not have preferred credentials and then click next and here for the ssid details this will be the ssid name of the wlan you had configured earlier so in my case i'm going to name this open roaming video so if we open the advanced options we can see that there's the default status as well as fast transition for default status this can be enable or disable and fast transition is adaptive enable or disable i'm going to leave this default as a default status enabled and fast transition adaptive now we'll click next and here is where you'll set settings for carrier offload so if you want this to be enabled you'll have to make sure you have the dna spaces extend license at least and then have an existing relationship with the carrier so after toggling allow carrier offload scroll down in the list to find the carrier that you want to have and once you find it you can check the box next to it to enable that and if you want to enable static routing you can also check the box for enable i'm not going to configure carrier offload so i'm going to disable it now and then click next and here in the summary page it will give you an overview of what you configured so in my case i have access policy as allowed users are accept all authenticated users preferred credential is no preferred credentials the ssid is open roaming video with default status of enabled and fast transition adaptive with no carrier offload and then for the profile name this will be auto populated by the ssid name and you'll refer to this when you save it so we'll click done and then click continue open roaming setup so now let's enable the hotspot connector on the dna spaces connector so to do this you'll have to make sure that your dna spaces account is linked to your dna spaces connector so if you haven't done that please do that now so now let's go enable the hotspot connector so we'll click enable hotspot for connectors and then choose the required connector the list here will be populated by the spaces connectors that are linked to your account so i'm going to select just blue dns connector and click continue and here we'll have a token generated and you'll copy this token to the dna spaces connector and this will be used to download the necessary certificates for open roaming so for security purposes this is a one-time use token so please do not use this token to deploy the hotspot connector on any other dna spaces connectors so now click copy and we'll go over to the dna spaces connector ui to paste the token now that we're in the cisco dna spaces connector ui we'll go apply the token to do this we'll go click the settings icon in the right corner and click configure token here paste the token that we copied over and click save so now the spaces connector will download the necessary hotspot connector docker images and deploy it onto the dna spaces connector this may take a few minutes so we'll come back once this is done so now we're back and to ensure that the hotspot connector has been successfully installed there is now a hotspot tab here in the ui so if we click on that we can check the top right corner and see that it is set to running so now we'll go back to the open roaming setup to enable the hotspot and qp server on our 9800 so now that we're back in the open roaming setup page let's go generate the configurations for our controller to generate the hotspot anqp server to do this we'll scroll down to the network configuration section and search for the necessary catalyst controller the controller list is populated by adding the controller to dna spaces so once you've found the necessary 9800 controller you'll hover over it and on the right side and then we'll click on the gear icon and in the configure controller window we'll select the open roaming profile we have configured so in this case we'll select open roaming video and here it will give you a summary view again of what you had configured just in case you had forgotten so in this case access policy is accept all authenticated users with no preferred credentials an ssid of open ring video with default status enable and fast transition adaptive and carrier offload disabled now we'll click continue and here you'll choose catalyst 9800 as the controller type and next for the wlan name we'll enter again the wlan we created so open roaming video and then we'll click show configuration and here for the type if you have 17.2.1 running or higher choose catalyst 17.1 17.3.1 and if you're running anything earlier you'll choose catalyst 16.12.1 17.1.1 the generated configurations will be used to create the hotspot anqp server for open roaming and the settings here are created based off the settings defined in the open roaming profile also the configurations include applying the hotspot enqp server to the default wireless policy profile and then mapping the default wireless policy profile to the wlan you created if you are not using the default policy profile and policy tag you can just copy the settings for the hotspot and qp server i'm not going to be using the default wireless policy profile nor the policy tag so i'm just going to copy the settings for the hotspot aqp server so starting from the open roaming oip line we'll select that and go all the way up to the wireless hotspot nqp line and then we'll copy that and now we'll apply this to the cli of our 9800 so i'm going to be using the command line interface tool in the web ui of the 9800 to apply the configurations so to do this we'll go click administration and then go to command line interface here we'll select the configure option and then we'll copy and paste over the configuration from dna spaces then we'll click run command and here double check that all the commands have command executed successfully for all of them next we'll apply the hotspot nqp server to our wireless policy profile i've already created a wireless policy profile so i'll be just going over how to apply this to it so we'll go to configuration tags and profiles policy and here i'm going to select my open roaming video wireless policy profile and this is just a standard central switching central authentication central dhcp enabled so now i'm going to go to advanced tab and here on the hotspot server we'll go select the open roaming server that was created and then under aaa policy we'll go apply the accounting method list we created for open roaming and this will report the statistics back to dna spaces so now we'll click update and apply to device now that it's done we'll go to configuration tags and profiles tags and here we'll create an open roaming policy tag so click add and name this open roaming then we'll click the add button under wlan policy map and then choose the wlan profile for open roaming as well as the wireless policy profile then we'll click the check box to save the mapping and click apply to device next we'll apply this to our aps so we'll go configuration wireless access points i'm going to select my app and choose the open roaming policy tag and then click update and apply to device so now the ap will have to disjoint and rejoin the controller so we'll come back once it has rejoined so now that ap has rejoined we can verify that it has indeed have the open roaming policy tag so now let's go verify the connectivity of our open roaming network and to verify the connectivity you can use either an apple or android device running the open roaming mobile app the apple devices need to have ios 13.3 or higher and the android devices need at least android 9 or higher the open roaming mobile app will be used to download and install the open roaming profile onto the device you can also use some devices which do not require the app to download the open roaming profile and these are the samsung devices which run android 10 or higher as well as google pixel running android 11 or higher i'll be using my iphone running ios 14 to verify my open roaming network so now that i'm in my iphone let's go connect to the open roaming network first we'll open the open roaming mobile app and sign in with either apple or google i chose apple and click continue next this will take you to a terms and conditions page so you'll have to accept the terms conditions and then click continue and here you can choose whether or not you want to share your email with the open roaming providers i'm going to choose to share it and then click i understand and here it will ask if you want to install the wi-fi hotspot network click allow so now the open roaming profile has been downloaded and installed onto your phone in the usage page you'll see the different open roaming networks that you connected to previously and then if you go to the account page you'll see the account that you'd signed into as well as if you want to log out delete the account or if you want to toggle whether or not you want to share your email id if you choose it to not share it anymore you'll just have to untoggle that next you'll get a warning saying you may not connect to some access networks but that's okay click proceed then you'll also get another pop-up asking you to reinstall the open roaming profile so click allow additionally you can check the different devices you had logged into in the device tab so in my case i've logged into two different iphones so now let's go to the settings app to check whether or not we can connect to the open roaming network so now i'm just going to re-enable the wi-fi i disabled it just so that the network wouldn't automatically connect to my phone so now if you notice the open running video ssid is not in my known networks so if we wait a few seconds it'll then automatically be selected without any action from me and i'll be connected so now i'm going to turn off the wi-fi in order to simulate going in and out of range of the open roaming network so once i enable it again you'll see that it's not in my known networks but it'll automatically be selected and connecting to the open roaming video ssid showing a simple and secure onboarding experience and with that we've reached the end of this video in summary we've learned exactly why we need open roaming how openroaming works and then how to configure it on our 9800 controller if you enjoyed this video please give it a like and subscribe to our youtube channel thank you for watching
Info
Channel: Cisco Catalyst TV
Views: 159
Rating: undefined out of 5
Keywords:
Id: XsD6e6F6u4k
Channel Id: undefined
Length: 23min 33sec (1413 seconds)
Published: Tue Nov 30 2021
Related Videos
I tested 8 of Amazon's best selling portable projectors with batteries, here's what I found.
The Hook Up
6.4K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Catalyst 9800 101 Series Episode 4 Application Visibility QoS Policies and Local Profiling
Cisco Catalyst TV
529
Cisco 9800 WLC- Base config and Redundancy
SDN TechForum
5.3K
Cisco DNA Center - Wireless 3D Analyzer EP2 - Resolving Coverage Holes in High Ceiling Deployments
Cisco Catalyst TV
258
Cisco DNA Center - Wireless 3D Analyzer EP3 - Leverage Visual Insights for Monitoring SLAs
Cisco Catalyst TV
222
The four-letter code to selling anything | Derek Thompson | TEDxBinghamtonUniversity
TEDx Talks
2.3M
Wi Fi 6 + Multigigabit Switching
Cisco Catalyst TV
414
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.1M
Remote worker routing
Cisco Catalyst TV
87
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.8M
Deploy Catalyst 8000V in Catalyst 8200 uCPE Using Device Local GUI
Cisco Catalyst TV
173
🔊 How to use Audacity to Record & Edit Audio - Beginners Tutorial
Kevin Stratvert
727K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.