This document describes how to integrate a NAC Guest Server (NGS) with Wireless LAN Controllers (WLCs) and an Adaptive Security Appliance (ASA) to provide URL logging and reporting of guest traffic. Many companies have a requirement to monitor guest traffic, and this paper provides information on how to configure the Cisco components to meet that requirement.
Note that there are multiple Cisco solutions to configure Guest Access in a Cisco Network. This article focuses on the method that uses the WLC as the enabling technology. The WLC has the unique ability to tunnel traffic from the network edge to the Internet with EoIP. This feature eliminates the need to deploy VPNs or ACLs within the network infrastructure to restrict guest traffic from leaking into the internal network of the company.
The bulk of this article covers “Integrated URL Logging and Reporting” in a “wireless-guest” network, but this feature can be configured in a “wired-guest” network, as well. Appendix A provides details for a “wired-guest” network.
Ensure that you meet these requirements before you attempt this configuration:
ASA that runs version 188.8.131.52 or later
Two WLC-4400 Series controllers that run version 4.2.130 or later
NAC Guest Server that runs version 2.0 or later
The information in this document is based on these software and hardware versions:
ASA that runs 184.108.40.206
Two WLC-44xx controllers that run 4.2.130 code
NAC guest server that runs 2.0.0 code
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Wireless guest access provides significant business benefits to customers. These benefits include reduced operational costs, improved productivity, and simplified management and provisioning of guest access. In addition, the NAC Guest Server enables customers to display their acceptable-use-policy and require acceptance of this policy prior to granting access to the Internet. Now, with the addition of integrated URL logging and reporting, customers can log guest usage and track compliance against their acceptable-use-policy.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
Wireless-Guest Lab Topology
The Catalyst 6500 is used to simulate the enterprise network. The guest SSID, shown in red, maps to the native VLAN at the ASA, also shown in red. Guest traffic flows from the PC into the Access Point, through the LWAPP tunnel to the WLC Foreign Controller, and then through the EoIP tunnel to the WLC Anchor Controller. The Anchor Controller provides DHCP and authentication services for the guest network. The DHCP service provides the guest with an IP address, default gateway, and DNS server. The default gateway is the ASA, and the DNS server is a public server located on the Internet. The authentication service in the Anchor Controller communicates with the NGS through RADIUS to authenticate users against the guest user database in the NGS. The guest logon is initiated when the guest opens a web browser, and the Anchor Controller redirects the traffic to the authentication page. All traffic in and out of the guest subnet is filtered through the ASA for policy control and auditing.
The Integrated URL Logging is activated when you enable these:
RADIUS accounting from the WLC Anchor Controller to the NGS
Logging of http Get Requests in the ASA
Sending of syslog messages from the ASA to the NGS
RADIUS accounting provides the NGS with a mapping between the guest IP address and the guest user ID for a specific time period. The logging of http Get Requests provides the NGS with a log of what URL was visited by the guest IP address at what time. The NGS can then correlate this information to produce a report that shows the URLs visited by a particular guest for a particular time period.
Note that accurate time is required for this correlation to work properly. For this reason, the configuration of NTP servers is highly recommended on the ASA, WLC, and NGS.
This document uses these configurations:
Key configuration tasks on the ASA include these:
NTP is required to insure proper correlation of messages by the NGS. HTTP inspection enables URL logging. Syslog is the method used to send the URL logs to the NGS.
In this example, this command is used to enable NTP on the ASA:
ntp server 192.168.215.62
HTTP inspection enables the ASA to log URLs. Specifically, the inspect http command enables or disables logging of the GET request with syslog message 304001.
The inspect http command is placed under a class-map within a policy-map. When enabled with the service-policy command, http inspection logs Get requests with syslog message 304001. ASA code 220.127.116.11 or later is required for syslog message 304001 to show the hostname as part of the URL.
In this example, these are the relevant commands:
policy-map global_policy class inspection_default inspect http ! service-policy global_policy global
Syslog is the method used to communicate URL logging to the NGS. In this configuration, only syslog message 304001 is sent to the NGS with this configuration:
logging enable logging timestamp logging list WebLogging message 304001 logging trap WebLogging logging facility 21 logging host inside 192.168.215.16
Key configuration steps for the Wireless LAN Controllers include these:
Basic Guest Access
Basic guest access configuration involves the configuration of a WLC Foreign Controller and WLC Anchor Controller so that guest traffic is tunneled through the enterprise network to the Internet DMZ. The configuration of basic guest access is covered in separate documentation. Illustrations that show the configuration for the setup are covered in the Appendix.
NTP servers are added at the Controller/NTP screen.NTP Configuration on WLC
A RADIUS accounting server is required so that the NGS server can map the source IP address received in the ASA syslog messages to the guest that uses that address at that particular time.
These two screens show the configuration of RADIUS authentication and RADIUS accounting on the WLC Anchor Controller. RADIUS configuration is not required on the Foreign Controller.RADIUS authentication
The NGS server is configured from the https://(ip_address)/admin web page. The default username/password is admin/admin.
NTP servers are added in the Server/Date-Time-Settings screen. It is recommended that the System Timezone be set to the timezone where the server is physically located. When NTP is synchronized, you see a message at the bottom of this screen that says, “Status: Active NTP servers” along with the IP address that shows “current time source.”NGS NTP Configuration
The NGS server needs to be configured with the IP address of the Anchor Controller as a RADIUS client. This screen is located at the Devices/RADIUS-Clients page. Make sure that the shared secret is the same as was entered on the Anchor Controller. Click the Restart button after you make changes to restart the RADIUS service on the NGS server.RADIUS Clients
By default, the NGS server accepts syslog messages from any IP address. As a result, there are no additional steps required to receive the syslog messages from the ASA.
Use this section to confirm that your configuration works properly.
Follow these steps to verify that URL logging works properly.
From a client PC, connect to the wireless guest network. The PC receives an IP address, default gateway, and DNS server from the DHCP server in the Anchor Controller.
Open a web browser. You are redirected to a login screen. Enter a guest username and password. Upon successful authentication, you are redirected to a default page on the Internet.
Browse to various web pages on the Internet.
Connect a management PC to the NGS at https://(ip_address) and login as a sponsor.
Click Account Management. You see a list of guest accounts. (If your guest account does not show up, click the Advanced Search button and clear the filter that specifies that this sponsor can only see accounts that they created.)
Find the guest user account from the list. Scroll to the right until you see the details icon. Click the details icon.
Click the Activity Log tab. You see a list of the URLs that the guest visited.URL Logging Report for user
The report shows that the guest user visited http://www.cisco.com on April 1, 2009 at 2:51 PM. The Device address of 192.168.59.49 is the IP address of the ASA that sent the syslog message containing the URL log. The source IP address for the guest users is 192.168.0.10. The destination address is 192.168.219.25 for http://www.cisco.com.
Up to this point, this article has covered “Integrated URL Logging and Reporting of Guest Traffic” for use in a “wireless-guest” network. This section provides details to configure a “wired-guest,” as well. Wired-guests and wireless-guests can be enabled on the same WLC Foreign Controller.
This is the network diagram for the Wired-Guest Network Lab.Wired-Guest Lab Topology
The wired-guest lab topology is similar to the wireless-guest lab topology, shown earlier, except for the addition of a wired-guest VLAN. The wired-guest VLAN, shown in red, is a Layer-2 connection between the wired-guest PC and the WLC Foreign Controller. Traffic from the wired-guest is received by the WLC Foreign Controller and sent by EoIP to the WLC Anchor Controller. The WLC Anchor Controller provides DHCP and authentication services for the wired-guest user in the same way it provided these services for the wireless-guest user. The default gateway is the ASA, and the DNS server is a public server on the Internet. Logically, all traffic in and out of the subnet is protected by the ASA.
It is recommended not to configure a Layer-3 interface on the Wired-Guest VLAN since this can enable a hop-off point for traffic to leak out of the wired-guest VLAN into the corporate network.
WLC Anchor Controller
Anchor Controller Interfaces
Configuration of the interfaces on the Anchor Controller is shown:
The ap-manager and management interfaces are on the native VLAN of physical port 1 of the WLC. Port 1 connects to the Catalyst switch and receives traffic from the customer network. Guest traffic is received through the EoIP tunnel from the Foreign Controller and terminates through this port.
The guest interface is on the native VLAN of port 2, and the wired interface is on VLAN 9 of port 2. Port 2 connects to the ASA and is used to send traffic out to the Internet.
Anchor Controller Mobility Groups
For this example, one Mobility Group is configured for the Foreign Controller (Wired) and a separate Mobility Group for the Anchor Controller (Anchor). The configuration on the Anchor Controller is shown.
Anchor Controller WLANs
Anchor Controller - Set Anchor for Guest WLAN
In order to configure or show Mobility Anchors for a WLAN, move your mouse to the drop-down arrow at the right, and choose Mobility Anchors, as shown.
Anchor Controller - Set anchor to itself
Anchor Controller - WLAN for Wireless-Guest Users
Anchor Controller - WLAN for wired-guest users (optional)
Anchor Controller - DHCP Scopes
Anchor Controller - DHCP Scope for Wireless-Guests:
Anchor Controller - DHCP for Wired-Guests (optional):
The configuration of the interfaces on the Foreign Controller is shown.
The ap-manager and management interfaces are on the native VLAN of physical port 1 of the WLC.
The wired interface is optional and is only required if you want to provide wired-guest access. The wired interface is on VLAN 8 of physical port 1. This interface receives traffic from the Guest VLAN of the Catalyst switch and sends it out the EoIP tunnel, through the native VLAN, to the Anchor Controller.
Foreign Controller - Mobility Groups
The configuration on the Foreign Controller is shown.
Foreign Controller - WLANs
In order to configure or show Mobility Anchors for a WLAN, move your mouse over the drop-down arrow at the right and choose Mobility Anchors, as shown.
Mobility Anchor set to Anchor Controller
Foreign Controller - Guest WLAN for Wireless-Guest users
Foreign Controller - WLAN for Wired-Guest Users (Optional) – Continued
ASA-5520# show run : ASA Version 8.0(4)26 ! hostname ASA-5520 ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.59.49 255.255.255.240 ! interface GigabitEthernet0/2 <- Guest traffic enters this interface nameif wireless_guest security-level 50 ip address 192.168.0.254 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.99.1 255.255.255.0 management-only ! boot system disk0:/asa804-26-k8.bin clock timezone CST -6 clock summer-time CDT recurring logging enable logging timestamp <- provide a timestamp in each syslog message logging list WebLogging message 304001 <- list includes URL Log message (304001) logging console errors logging buffered notifications logging trap WebLogging <- Send this list of Log messages to syslog servers logging asdm informational logging facility 21 logging host inside 192.168.215.16 <- NGS is the syslog server asdm image disk0:/asdm-61551.bin route inside 10.10.10.0 255.255.255.0 192.168.59.62 1 route inside 192.168.215.0 255.255.255.0 192.168.59.62 1 route inside 18.104.22.168 255.255.255.255 192.168.59.62 1 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.99.0 255.255.255.0 management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 22.214.171.124 <- Configure ntp server ! class-map inspection_default match default-inspection-traffic ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect http <- Enable http inspection on the global policy ! service-policy global_policy global <- Apply the policy prompt hostname context Cryptochecksum:b43ff809eacf50f0c9ef0ae2a9abbc1d : end
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.