Deployments

This topic describes the deployment scenarios of the Guest access solution.

Guest Access using WLC

The guest access solution for wireless network can be deployed with leading Wireless LAN controllers. You can deploy wireless network with WLCs and wireless network for guests. The guest authentication is done with external authentication server and IPS server can be used as an external authentication server.

The assumption for this deployment the user has already deployed wireless network for guest using WLC and would like to have centralized authentication server. When wireless network is built with multiple vendors WLCs then it further becomes useful to have centralized authentication server.

The user flow is explained below:

  1. Guest user comes on-premises and connects to guest SSID.
  2. Guest user opens a browser to access an internet resource.
  3. The user is redirected to IPS guest login page.
  4. Guest user clicks the self-registration link from the guest login page and completes the registration process.
  5. If the Administrator has configured Host Checker policy then IPS evaluates the Host Checker results.
  6. Pre authentication – Host Checker policies are evaluated first and then user is prompted for credentials. For configuration details, see User Realms
  7. Post authentication – User credentials are validated first and then the Host Checker policies are evaluated. For configuration details, see User Roles
  8. Guest user logins with guest user credentials. IPS validates the credentials and based on the result WLC redirects the guest user to the resource requested.

Guest Access using EX switch/SRX Firewall

When a IPS and an EX Series switch/SRX firewall is deployed, users must first sign into IPS for authentication before they can access a protected resource behind the EX Series switch/SRX firewall.

To facilitate sign-in, you can configure a redirect policy on the EX Series switch/SRX firewall to automatically redirect HTTP traffic destined for protected resources to IPS. When the sign-in page for the IPS is displayed, the user signs in, and access is granted to internet.  These user accounts can be created by Guest User Account Manager.

The user flow is explained below:

  1. Guest user comes on-premises and tries to connect to internet.
  2. Guest user opens a browser to access an internet resource.
  3. The Guest user is redirected to IPS login page.
  4. If the Admin has configured Host Checker restrictions on the Guest role/realm then the Guest user is provided access only after Host Checker policies are evaluated.
  5. The Admin can configure the Host Checker in two ways:
  6. Pre-Authentication (Host Checker restriction on guest realm)– The Host Checker policies are evaluated first and then user is prompted for credentials.
  7. Post-Authentication (Host Checker restriction on guest role) – The user credentials are validated first and then the host checker policies are evaluated.
  8. The Guest user logins with the credentials provided by the guest Admin (GUAM).

Guest Access using Cisco Switch

The guest access feature is supported for wired guest endpoints with Cisco switches. To facilitate sign-in, you can configure a redirect policy on the Cisco switch to automatically redirect HTTP traffic destined for protected resources throughIPS . When the sign-in page for the IPS is displayed, the user signs in, and access is granted to internet.

The user flow is explained below:

  1. Guest user comes on-premises and connects to LAN.
  2. Guest user opens a browser to access an internet resource.
  3. The user is redirected to IPS guest login page.
  4. The Guest user self registers on IPS guest portal and receives the credentials over the email/SMS or on the UI.
  5. If the Administrator has configured Host Checker policy then IPS evaluates the Host Checker results.
  6. Pre authentication – Host Checker policies are evaluated first and then user is prompted for credentials. For configuration details, see User Realms.
  7. Post authentication – User credentials are validated first and then the Host Checker policies are evaluated. For configuration details, see User Roles.
  8. The guest user gets authenticated and gets redirected to the requested internet resource.

The configuration details are covered in Configuring IPS for Guest Wired Authentication using Cisco Switch.