1 / 17

Module 8

Module 8. WLAN Hotspot. Objectives. Identify the key aspects of Hotspots Identify and describe key aspects of captive portal polices web pages enforcement modes capture & redirection Describe different uses for Hotspots and captive portals

portia
Download Presentation

Module 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 8 WLAN Hotspot

  2. Objectives • Identify the key aspects of Hotspots • Identify and describe key aspects of captive portal • polices • web pages • enforcement modes • capture & redirection • Describe different uses for Hotspots and captive portals • Identify key recommendations for Hotspots and captive portals

  3. Captive Portal

  4. Introduction • WiNG5 introduces new Captive Portal implementation that addresses the limitations of WiNG4. • In WiNG5 Captive Portal can be hosted on ANY WiNG5 device • Captive Portal on Access Point provides the same functionality as on the Wireless Controller • You may deploy Captive Portal on a Wireless Controller deployed in a DMZ or isolated network Centralized Hotspot Distributed Hotspot Tunneled Hotspot AP Adoption AP Adoption Captive Portal Captive Portal AP Adoption DMZ Captive Portal Captive Portal Captive Portal

  5. Hotspot – Captive Portal Features • Each Captive Portal instance can operate in HTTP (default) or HTTPS connection modes which is determined based on a Captive Portal Policy • Each Captive Portal Policy supports various Access Modes: • Radius – Users are required to enter a valid username and password before being granted access to the network (same as WiNG4) • No Authentication – Users are presented with a ‘splash’ page and are not required to authenticate to gain access to the network • Logging – Generates SNMP trap and Event log and permits access • Custom User Information – Users are required to enter valid custom information such as Name, Email, Address & Telephone which can optionally be authenticated against an external AAA server • Default and user-defined login pages can be hosted locally on the Wireless Controller or Access Point or externally on a HTTP server • Default login pages can be partially customized with text with added support for small and large logo URLs

  6. Hotspot – Captive Portal Enforcement Modes • Each WLAN supports Captive Portal configuration that determines the enforcement mode and Captive Portal Policy • Each WLAN supports three Captive Portal enforcement modes: • Off – Captive Portal is disabled on the WLAN • On – Captive Portal is enforcement is enabled for all Wireless Clients even if primary authentication succeeds • Fall-Back – Captive Portal is enabled for all Wireless Clients if MAC and EAP authentication fails (no encryption) • Captive Portal authentication can be performed after primary authentication or as a fall-back authentication if MAC or EAP authentication fails Off On Fall-Back ‘Optional’ Primary Authentication ‘Optional’ Primary Authentication Captive Portal EAP / MAC Authentication Captive Portal

  7. Hotspot – Captive Portal Policies Local or Extended VLAN WLAN • Captive Portal implementation consists of two parts, each defined by the same Captive Portal Policy. • The WLAN: • Assign Policy and select the Captive Portal Enforcement Mode to instruct AP to perform “Capture” on this WLAN • Define Hotspot VLAN (Local or Tunnelled) • Portal Device (same AP or other WING5 device) • Hosts the Portal part, • Must we reachable over TCP/IP via Hotspot VLAN from every AP with Hotspot WLAN. • May be assigned using Profiles or Overrides • Same Captive Portal Policy must be assigned to both parts to make Captive Portal work Captive Portal Policy Device Profile Virtual IP Interface Virtual IP Interface

  8. Hotspot – Web Pages • The Captive Portal Policy determines where the Captive Portal pages are stored: • Internal – The default login, welcome, failed and agreement login pages are stored in flash on the Wireless Controllers or Access Points • Advanced – Customized login, welcome, failed and agreement login pages are uploaded onto flash on the Wireless Controllers or Access Points hosting the Captive Portal • External – The login, welcome, failed and agreement login pages are stored on an external HTTP server which are defined by administrators using URLs • One Web Page Location type is supported for each Captive Portal Policy flash/: hotspot/ wlan-name-1/ wlan-name-2/ login.html welcome.html fail.html agreement.html

  9. Hotspot – Capture & Redirection • Prior to authentication, the Captive Portal will permit certain traffic including ARP, DHCP, DNS, White Listed hosts and packets destined for the Captive Portal server (TCP ports 880 & 444) HTTP Capture & Redirection HTTPS Capture & Redirection Wireless Client Wireless Client Captive Portal Captive Portal Backend Network Backend Network User Associates to the WLAN User Associated to the WLAN DHCP Discover DHCP Discover DHCP Offer DHCP Offer DHCP Request DHCP Request DHCP ACK DHCP ACK User attempts to connect to a Web Page User attempts to connect to a Web Page DNS Query (www.example.com) DNS Query (www.example.com) DNS Response (216.77.22.133) DNS Response (216.77.22.133) HTTP Req. (216.66.22.133 Port 80) HTTP Req. (216.66.22.133 Port 80) HTTP Redirect (Portal IP Port 880) HTTP Redirect (Portal IP Port 444) HTTP Req. (Portal IP Port 880) HTTPS Req. (Portal IP Port 444) HTTP Response (Login Page) HTTPS Response (Login Page)

  10. Hotspot Recommendations • Use authentication • When permitting access to private networks, use WPA2-PSK encryption with strong passwords • Use a dedicated VLAN for hotspot traffic • Apply a firewall policy to restrict guest access to private networks and high-bandwidth applications • Install digital certificates on infrastructure devices

  11. Hotspot – Example Use Case

  12. Example Use Case 1 (Public Hotspot) Data Center / NOC: Web Server Login Pages AP Adoption VLAN 10 VLAN 10 Provisioning User DB IPSec Public Network / MPLS: User Traffic Default Gateway for Local VLAN 100 World Wide Web Local VLAN 4094 Remote Site (Public Hotspot): Captive Portal DHCP Firewall NAT IPSec VPN Local VLAN 100

  13. Example Use Case 2 (Centralized Guest Access) Public Network: DMZ: Data Center / NOC: AP Adoption Firewall Captive Portal NAT Firewall DHCP VLAN 10 VLAN 10 VLAN 20 VLAN 20 Ext. VLAN 200 Ext. VLAN 200 World Wide Web Distribution: VLAN 11 VLAN 12 VLAN 13 Default Gateway for Tunneled VLAN 200 VLAN 11 VLAN 12 VLAN 13 Guest Access WLAN: Ext. VLAN 200 Ext. VLAN 200 Ext. VLAN 200

  14. Example Use Case 3 (Tunneled Guest Access) Public Network: DMZ: Data Center / NOC: Captive Portal DHCP Firewall Ext. VLAN 200 NAT Firewall AP Adoption VLAN 20 VLAN 20 VLAN 10 VLAN 10 Ext. VLAN 200 World Wide Web Distribution: VLAN 11 VLAN 12 VLAN 13 Default Gateway for Tunneled VLAN 200 VLAN 11 VLAN 12 VLAN 13 Guest Access WLAN: Ext. VLAN 200 Ext. VLAN 200 Ext. VLAN 200

  15. Considerations 1 Each 802.1X EAP, MAC and Captive Portal enabled WLAN must be assigned to a AAA Policy Encryption is now performed locally on each Access Point and is no-longer tunneled to the Wireless Controller 2 Wireless Clients can be statically assigned to a single or pool of Local or Tunneled VLANs 3 Wireless Client can be dynamically assigned to a Local or Tunneled VLAN by the AAA server 4 The RADIUS Proxy mode None requires the Access Points to have an IP address assigned Captive Portal Policies must be assigned to WLANs along with the Wireless Controller and Access Point hosting the Captive Portal A Virtual IP Interface must be assigned to the Local or Tunneled VLAN on the device hosting the Captive Portal Captive Portals require DNS name resolution for the capture and redirect function to operate 8 5 6 7

  16. LAB: Hotspot LAB 6: Create and Test Hotspot WLAN Create Captive Portal Policy Assign to Hotspot WLAN and Portal Device Test

  17. Identify the key aspects of Hotspots • Identify and describe key aspects of captive portal • polices • web pages • enforcement modes • capture & redirection • Describe different uses for Hotspots and captive portals • Identify key recommendations for Hotspots and captive portals • Module Summary

More Related