Organizations need an easy and cost-effective method to manage and control wireless network segments using a single management platform. They need a solution that supports limiting individual IT administrator's access to selected segments of the wireless network while still maintaining super-user or root administrator control of the wireless LAN. In addition, managed service providers need the flexibility to manage multiple customer WLANs from a single management platform.
Solution Overview
Enterprises can now segment the Cisco Wireless Control System (WCS) using virtual domains (partitioning). Cisco WCS virtual domains enhance network access control by allowing organizations to limit an individual IT administrator's access to only those wireless network segments that are under each IT administrator's individual responsibility. This feature also allows organizations to maintain super-user and root administrator control of the wireless LAN. Managed service providers can use this feature to easily manage multiple customer WLANs from a single, centralized, easy-to-use Cisco WCS platform.
Cisco WCS virtual domains provide organizations with the flexibility to:
• Define the areas of the wireless network that individual IT administrators (users) can manage.
• Customize virtual domain names by geographical regions, customer names, building, campus, or other customized parameters to meet each organization's individual needs.
• Create up to 128 distinct hierarchical virtual domains.
• Maintain tight control of the wireless network infrastructure that is managed by each IT administrator.
In addition to Cisco WCS virtual domains, Cisco WCS level partitioning is also supported by Cisco WCS Navigator.
Features
Cisco WCS virtual domains features are supported by Cisco WCS Software Release 5.1 and later. The following features are supported by Cisco WCS and managed through its easy-to-use graphical user interface.
Group-By Hierarchical Domains
Cisco WCS virtual domains are grouped by hierarchical domains. IT administrators (users) have access to only those individual domains to which they have been assigned. The top (root) user has complete access to all domains (Figure 1).
Standard Cisco WCS features are available for all domains. Common network management features, including searches, reports, role-based access control (RBAC), and authentication using an authentication, authorization, and accounting (AAA) servers such as RADIUS/TACACS+ have been enhanced to support virtual domains.
Figure 1. Cisco WCS Virtual Domains Grouped by Hierarchical Domains
Robust IT Administrator Access Control
All IT administration rights are rules-based. New IT administrators (users) can be easily added, deleted or assigned virtual domains from Cisco WCS by selecting Administration > AAA > Users (Figure 2). IT administrators can be assigned to one or more virtual domains. Multiple IT administrators can be assigned to the same virtual domain.
Figure 2. Assigning an IT Administrator (User) To One or More Virtual Domains
Note: IT administrators (users) will automatically be placed in the root virtual domain during the upgrade of Cisco WCS to WCS Software Release 5.1 or later. Organizations must create each virtual domain under the root domain and assign users to each virtual domain.
Note: If an AAA server is used to authenticate users, the format of the virtual domain attribute value must be exported to the AAA server. Both TACACS+ and RADIUS servers are supported.
Simplified Configuration of Virtual Domains
Each virtual domain can be configured to include or exclude selected maps, wireless LAN controllers, or access points based on the hierarchical level of each domain. Only the portions of the hierarchy tree under the direct control of the logged-in IT administrators are displayed by Cisco WCS. Virtual domains can be easily added, changed, deleted or exported from the administration configuration screen (Figure 3)
Cisco WCS virtual domains can be grouped by hierarchical domains and partitioned by access points, wireless LAN controllers or maps.
Cisco WCS virtual domains can be deployed using a distributed or centralized wireless LAN controller configuration.
• Distributed controller deployments: A dedicated controller is deployed for each virtual domain. Configuration of each controller and its associated access points can be applied in a standalone manner within each individual domain.
• Centralized controller deployments: Controllers are shared across multiple virtual domains. Each IT administrator is able to monitor and view the controller that is part of their domain, but they are not able to configure the controller or its associated access points. In this type of deployment, configuration of shared controllers can only be completed by the IT administrator with access rights to the top-most level of the virtual domain hierarchy.
IT administrators are restricted to the discrete infrastructure components and associated service entities or geographic regions of the network that are associated with their defined virtual domain (Figure 4 and 5).
• Infrastructure components include wireless LAN controllers, lightweight access points, standalone (autonomous) access points, configuration templates, rogue access points, rogue ad hoc access points, summary page, events, reports, alarms, tags, clients, and chokepoints.
• Service entities include guest access, Cisco 2700 Series Wireless Location Appliance and Cisco 3300 Series Mobility Services Engine (MSE).
• Geographic regions include maps, buildings, floors, and campus areas.
Figure 4. Cisco WCS Virtual Domains Assigned by Organization Name
Figure 5. Cisco WCS Virtual Domains Assigned by Geographic Regions
Benefits
Cisco WCS virtual domains deliver the following benefits:
• Enhanced access control that allows organizations to limit an individual IT administrator's access to only those wireless network segments that are under the IT administrator's individual responsibility.
• Reduced operational costs through the use of a single, centralized Cisco WCS platform to support multiple IT administrators, each of whom has access to only those domains to which they have been assigned.
• Operational cost savings through error reductions because each IT administrator can only make changes to the areas assigned to them.
• Improved productivity because each IT administrator is notified about only the alerts and alarms within their assigned virtual domains. For example, in Figure 1, IT Administrator #2 will only see alerts and alarms for the Central Region and IT Administrator #3 will only see alerts and alarms for the Eastern Region.
• Scalable, simplified WLAN management of all local, remote, and worldwide locations from an easily accessible, centralized management console.
• Managed service providers can easily manage multiple customer WLANs from a single Cisco WCS platform.
Solution Components
• Cisco Unified Wireless Network
• Cisco Wireless Control System (WCS) running Software Release 5.1 or later
• Cisco Aironet® Access Points
• Cisco Wireless LAN Controllers
Summary
Cisco WCS virtual domains (partitioning) support enhanced access control that allows organizations to limit an individual IT administrator's access to only those wireless network segments that are under each IT administrator's responsibility. This innovative feature helps organizations reduce their operation costs for WLAN management, improve IT administrator productivity, and deliver scalable, simplified segmenting of local, remote, and worldwide wireless networks. Cisco WCS virtual domains also gives managed service providers the flexibility to easily manage multiple customer WLANs from a single Cisco WCS platform.
