Table Of Contents
Integrating Cisco Clean Access with Cisco Wireless LAN Controllers
CCA Overview
CCA with Controller Overview
Guest User Design Requirements
Design Guidelines
Designing the Network Architecture
System Requirements
Wireless Guest Traffic Flow
Adding a Clean Access Server
Wireless Guest Traffic Flow with CAS
Configuring the Cisco Wireless LAN Controller
Configuring CAS and CAM
Configuring the Wireless and CCA Client
Integrating Cisco Clean Access with Cisco Wireless LAN Controllers
This document describes how to integrate the Cisco Clean Access (CCA) solution with a Cisco Wireless LAN Controller (referred to hereafter as the controller) to provide guest user access management and posture assessment features for wireless networks. A similar configuration is designed for non-guest user access and posture assessment.
CCA Overview
CCA is a Network Admission Control (NAC) appliance solution that automatically detects, isolates, and cleans infected or vulnerable devices that attempt to access the network.
Cisco Wireless LAN controllers are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. They work in conjunction with Cisco Lightweight Access Points and the Cisco Wireless Control System (WCS) to support business-critical wireless applications.
NAC makes compliance with security policies a prerequisite for network access. Customers can choose to deploy NAC in two ways: through an industry-collaborative framework (NAC framework), which adopts the solutions of Cisco and other vendors, or through the CCA (NAC appliance) product family, which combines the features of authentication, posture assessment, quarantine, and remediation into a self-contained product.
The CCA solution consists of three components:
•
Clean Access Server (CAS). An inline or out-of band device that acts as the first challenge for any end user trying to access the network. The CAS challenges the end user with a login page or requires the download of a clean access agent before permitting access to the network.
•Clean Access Manager (CAM). This server manages clean access servers remotely, globally, or individually and enables administrators to establish user roles, device checks, and remediation requirements.
•CCA. An optional client-side component of the clean access system. It is a read-only client that delivers device-based registry scans on unmanaged environments. It can be downloaded and provisioned over the web; in fact, customers who use the agent often make it a required download before network access is granted.
CCA with Controller Overview
CCA provides authentication, posture assessment, and remediation services for wireless controller guest users connecting through a local switch port or a trunked interface using 802.1Q. CCA provides full Layer 3/Layer 4 access control management with the in-band virtual gateway (Layer 2 bridge) or real-IP (Layer 3 router) deployment mode. The following key features are provided when CCA is deployed with a controller for clean access solution:
•Web login authenticationadopting one or more authentication servers such as RADIUS, Kerberos, LDAP, NTLM, etc.
•Custom splash web page, distinctively unique per managed subnet, VLAN, or operating system
•Layer 3/Layer 4 role based access control (RBAC) to permit access to specific port, protocol, or subnet
•Bandwidth throttling for each user role by assigning shared or dedicated bandwidth usage
•Guest session timeout management such as 2 hours for visitors and 24 hours for employees
•Custom URL redirection to a pre-defined page for acceptable user policy notice
•Pre-configured Windows critical hot fixes and anti-virus application checks
•Self remediation for quarantined users
Guest User Design Requirements
All guest wireless traffic coming into the controller must go through the CAS before it can go anywhere else. A dynamic interface called guest is created in the controller, and all guest traffic is forwarded through it to the untrusted interface of CAS.
After the guest users are authenticated locally or through an external server (RADIUS, LDAP, Kerberos) by the CAS/CAM, the user traffic is allowed only through the CAS and can reach the outside network. You can also set user timeout sessions, bandwidth, and access control management.
Design Guidelines
Consider the following design guidelines when implementing NAC with a CAS:
•Use different SSIDs for employees and guest wireless users
•Use 802.1X authentication and strong encryption (WPA with TKIP/MIC or WPA2 with AES) for the internal users
•Use fast secure roaming for internal users (CCKM required, available with LEAP and EAP-FAST)
•Establish open authentication for guest and broadcast the guest SSID
•Use the controller to terminate the wireless traffic on a guest wireless LAN interface
•Specify DHCP address assignment option for the guest wireless LAN interface to allow only clients with DHCP addresses (and not static IP addresses) to receive traffic
•Apply security policies to the wireless traffic on the wireless LAN interface guest
Designing the Network Architecture
Figure 1 shows a network architecture example.
Figure 1 Network Architecture
System Requirements
This design requires the following equipment:
•Cisco 4100 or 4400 Series Wireless LAN Controller, version 2.2.127.9 or later
•Internet access: firewall
•Cisco Clean Access Server 3.4.5.1 or later
•Cisco Clean Access Manager 3.4.5.1 or later
•Cisco Aironet lightweight access points
•Cisco Aironet a/b/g client card
Wireless Guest Traffic Flow
Wireless traffic is routed in the following way.
1. Wireless traffic is terminated at guest wireless LAN interface.
2. Using the wireless LAN interface, guest packets are routed to the untrusted interface on the CAS.
3. Traffic is sent from the clean access server to the DMZ interface of the firewall.
4. The security policy is applied at the firewall so that the guest traffic is directed outside and blocked from entering the Intranet.
Adding a Clean Access Server
The clean access solution has three deployment methods in the in-band solution:
•Virtual gateway. If you configure the CAS as a virtual gateway, it acts as a pass through device, and no routing or DHCP changes are needed in the network. This solution is the quickest and easiest deployment.
•Real-IP gateway. The CAS is the gateway for all the end users, and it handles all routing for that side of the network. The CAS can be a DHCP server and hand out 30 subnets or be a DHCP relay and keep all the same IP information.
•NAT gateway. The same as real-IP where the CAS is providing network address translation (NAT) on all of the addresses on the untrusted side.
In the wireless controller solution, use the real-IP gateway deployment method.
Wireless Guest Traffic Flow with CAS
The guest traffic is forwarded to the CAS as follows:
1. The traffic is sent to the inside of the clean access server.
2. Policies are applied.
3. Traffic is redirected if needed.
4. Traffic is routed through the outside of the clean access server to the DMZ interface of the firewall and then to the Internet.
5. Firewall policies are applied.
6. Traffic is sent out to the Internet.
The reverse path is followed for the returning traffic.
Configuring the Cisco Wireless LAN Controller
Follow these steps to configure the wireless LAN controller.
Step 1 Choose Monitor > Summary to see a status of the controller (see Figure 2).
Figure 2 Monitor Summary
Step 2 Navigate to Interfaces > Edit.
Step 3 Enter regular as a dynamic interface.
Step 4 Assign a VLAN tag of 173 in the VLAN identifier field (see Figure 3).
Figure 3 Regular Interface
Step 5 Navigate to Interfaces > Edit.
Step 6 Enter guest as the dynamic interface.
Step 7 Assign a VLAN tag of 172 in the VLAN identifier field (see Figure 4).
Figure 4 Guest Interface
Figure 5 shows two dynamic interfaces created for employee and guest traffic.
Figure 5 Status of Interfaces
Step 8 Using the LWAPP Transport Mode drop-down menu, choose Layer 3.
Step 9 In the RF Mobility Domain Name field, enter mobile1.
Step 10 To create a guest wireless LAN interface with open authentication and DHCP address assignment required, enter guest as the wireless LAN interface SSID on the WLANs > Edit window. Click the check box to require DHCP address assignment.
Step 11 To create an employee wireless LAN interface with WPA authentication and DHCP address assignment required, enter employee as the wireless LAN interface SSID on the WLANs > Edit window. Click the check box to require DHCP address assignment.
Step 12 To add the RADIUS server information for 802.1X authentication, navigate to Security > AAA> RADIUS Authentication Servers (see Figure 6).
Figure 6 RADIUS Authentication Servers
Configuring CAS and CAM
After the network is configured to route all the guest traffic to the CAS, use CAS to authenticate the guest users and perform posture assessment. Use Clean Access Manager (CAM) to configure the CAS. The User Management is configured locally on the CAM. For the CAS configuration, you must connect to the server by clicking Manage on the Clean Access Servers window.
For the CAS to interact with the controller, the server must be configured to operate in Layer 3 mode.
Step 1 Choose Real-IP Gateway for the Clean Access Server Type on the CCA Servers window (see Figure 7).
Figure 7 Real-IP Gateway
Step 2 Enter the DNS server's IP address on the Clean Access Manager window.
Step 3 On the specific IP address window, choose Generate Temporary Certificate (see Figure 8) from the Choose an action drop-down menu.
Figure 8 Generate Temporary Certificate
Step 4 Create the local database in CAM by navigating to User Management > Local Users.
Step 5 Under User Management, choose User Roles (see Figure 9). Create employee and guest roles by allowing all traffic to flow when the user has successfully logged on.
Figure 9 User Roles
Step 6 Create a host-based policy access for access to remediation sites when users are in quarantine role. Use the drop-down menu to choose Agent Quarantine Role (see Figure 10).
Figure 10 Agent Quarantine Role
Step 7 For guest users, modify the guest role with a redirect upon login. Go to User Management > User Roles. Click the Edit Role tab. Verify that the Role Name is guest. At the After Successful Login Redirect to field, click to choose this URL and enter the desired URL to be redirected to.
Step 8 You can assign users to different roles by editing the previously created users.
Step 9 Create a login page for the users. Go to Administration > User Pages and choose Add at the Login Page tab.
Step 10 Customize the web login portal page (see Figure 11). Navigate to Administration > User Pages > Login Page > Edit > Content.
Figure 11 Customizing the Web Login
Step 11 If you want to add another subnet (SSID) in addition to the guest subnet for an employee, add the Managed Subnet under CCA Servers > Manage > Network > Managed Subnet.
Because the CAS is acting as a real-IP gateway, you must create a static route to route packets back to the wireless controller for subnet 172.18.10.x and 172.19.10.x via the CAS untrusted interface.
Step 12 To establish guest roles for posture assessment, you must first configure some basic network scanning for guest user machines. Choose Network Scanner > Scan Setup to determine which user role and operating system to use.
Step 13 Click Show Network Scanner User Agreement page to web login users.
Step 14 To establish employee roles for posture assessment, you must create a requirement rules mapping. Go to Device Management > Clean Access > Clean Access Agent > Requirements > Requirement-Rules. For example, a user can choose to perform Windows hotfixes for Windows XP machines.
Step 15 Create a role requirement mapping. For example, a user can choose to perform posture assessment as an employee as opposed to in a guest role.
Step 16 Click Require use of Clean Access Agent.
Step 17 After guest users are successfully logged on, they are listed under Monitoring > Online Users.
Step 18 Click the Display Settings tab to enter Login Time, OS, and Role (see Figure 12).
Figure 12 Display Settings
Step 19 If the user does not meet the corporate access compliance requirements, his or her status is labelled as Quarantine in the Role column (see Figure 13).
Figure 13 Role Distinction
You can generate a report of the users scanned by the CAS server. The report can also be tailored to show a specific user and any Windows XP hotfix details.
Configuring the Wireless and CCA Client
In the Cisco Aironet Desktop Utility, click the General tab within Profile Management.
Follow these steps to configure the wireless and CCA client.
Step 1 Enter employee as the Profile Name.
Step 2 Click the Security tab.
Step 3 Choose the WPA/WPA2/CCKM radio button.
Step 4 In the WPA/WPA2/CCKM EAP Type drop-down menu, choose PEAP (EAP-MSCHAP V2).
Step 5 Click Configure and either choose Use Windows username and password or enter a different username and password.
Step 6 When you are associated with the employee profile and try to access the internet, you are prompted to download the clean access client software.
Step 7 After downloading the clean access client, log in with the user credentials.
You can then access the internet.
Step 8 Click the General tab.
Step 9 Enter guest as the Profile Name in Profile Settings.
Step 10 Click the Security tab.
Step 11 Choose None and then click OK.
If you are using the guest login, you are prompted to enter guest user details or click the Guest Access icon. If you have successfully logged in, a virus protection policy bulletin flashes. If you accept the policy bulletin, the guest computer is scanned for viruses, and a report is presented. You can then access the Internet.
