Cisco NAC Appliance (Clean Access)

Introduction

This document describes how to integrate a NAC Guest Server (NGS) with Wireless LAN Controllers (WLCs) and an Adaptive Security Appliance (ASA) to provide URL logging and reporting of guest traffic. Many companies have a requirement to monitor guest traffic, and this paper provides information on how to configure the Cisco components to meet that requirement.

Note that there are multiple Cisco solutions to configure Guest Access in a Cisco Network. This article focuses on the method that uses the WLC as the enabling technology. The WLC has the unique ability to tunnel traffic from the network edge to the Internet with EoIP. This feature eliminates the need to deploy VPNs or ACLs within the network infrastructure to restrict guest traffic from leaking into the internal network of the company.

The bulk of this article covers “Integrated URL Logging and Reporting” in a “wireless-guest” network, but this feature can be configured in a “wired-guest” network, as well. Appendix A provides details for a “wired-guest” network.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

• ASA that runs version 8.0.4.24 or later

• Two WLC-4400 Series controllers that run version 4.2.130 or later

• NAC Guest Server that runs version 2.0 or later

Components Used

The information in this document is based on these software and hardware versions:

• ASA that runs 8.0.4.26

• Two WLC-44xx controllers that run 4.2.130 code

• NAC guest server that runs 2.0.0 code

• Catalyst 6500

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Wireless guest access provides significant business benefits to customers. These benefits include reduced operational costs, improved productivity, and simplified management and provisioning of guest access. In addition, the NAC Guest Server enables customers to display their acceptable-use-policy and require acceptance of this policy prior to granting access to the Internet. Now, with the addition of integrated URL logging and reporting, customers can log guest usage and track compliance against their acceptable-use-policy.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

Wireless-Guest Lab Topology

The Catalyst 6500 is used to simulate the enterprise network. The guest SSID, shown in red, maps to the native VLAN at the ASA, also shown in red. Guest traffic flows from the PC into the Access Point, through the LWAPP tunnel to the WLC Foreign Controller, and then through the EoIP tunnel to the WLC Anchor Controller. The Anchor Controller provides DHCP and authentication services for the guest network. The DHCP service provides the guest with an IP address, default gateway, and DNS server. The default gateway is the ASA, and the DNS server is a public server located on the Internet. The authentication service in the Anchor Controller communicates with the NGS through RADIUS to authenticate users against the guest user database in the NGS. The guest logon is initiated when the guest opens a web browser, and the Anchor Controller redirects the traffic to the authentication page. All traffic in and out of the guest subnet is filtered through the ASA for policy control and auditing.

Integrated URL Logging from ASA to NGS

The Integrated URL Logging is activated when you enable these:

• RADIUS accounting from the WLC Anchor Controller to the NGS

• Logging of http Get Requests in the ASA

• Sending of syslog messages from the ASA to the NGS

RADIUS accounting provides the NGS with a mapping between the guest IP address and the guest user ID for a specific time period. The logging of http Get Requests provides the NGS with a log of what URL was visited by the guest IP address at what time. The NGS can then correlate this information to produce a report that shows the URLs visited by a particular guest for a particular time period.

Note that accurate time is required for this correlation to work properly. For this reason, the configuration of NTP servers is highly recommended on the ASA, WLC, and NGS.

Configurations

This document uses these configurations:

• ASA Configuration

• WLC Configuration

• NGS Configuration

ASA Configuration

Key configuration tasks on the ASA include these:

• NTP

• HTTP inspection

• Syslog

NTP is required to insure proper correlation of messages by the NGS. HTTP inspection enables URL logging. Syslog is the method used to send the URL logs to the NGS.

In this example, this command is used to enable NTP on the ASA:

ntp server 192.168.215.62

HTTP inspection enables the ASA to log URLs. Specifically, the inspect http command enables or disables logging of the GET request with syslog message 304001.

The inspect http command is placed under a class-map within a policy-map. When enabled with the service-policy command, http inspection logs Get requests with syslog message 304001. ASA code 8.0.4.24 or later is required for syslog message 304001 to show the hostname as part of the URL.

In this example, these are the relevant commands:

policy-map global_policy
 class inspection_default
  inspect http
!
service-policy global_policy global

Syslog is the method used to communicate URL logging to the NGS. In this configuration, only syslog message 304001 is sent to the NGS with this configuration:

logging enable
logging timestamp
logging list WebLogging message 304001
logging trap WebLogging
logging facility 21
logging host inside 192.168.215.16

WLC Configuration

Key configuration steps for the Wireless LAN Controllers include these:

• Basic Guest Access

• NTP

• RADIUS Accounting

Basic guest access configuration involves the configuration of a WLC Foreign Controller and WLC Anchor Controller so that guest traffic is tunneled through the enterprise network to the Internet DMZ. The configuration of basic guest access is covered in separate documentation. Illustrations that show the configuration for the setup are covered in the Appendix.

NTP servers are added at the Controller/NTP screen.

NTP Configuration on WLC

A RADIUS accounting server is required so that the NGS server can map the source IP address received in the ASA syslog messages to the guest that uses that address at that particular time.

These two screens show the configuration of RADIUS authentication and RADIUS accounting on the WLC Anchor Controller. RADIUS configuration is not required on the Foreign Controller.

RADIUS authentication

RADIUS accounting

NGS Configuration

• NTP

• RADIUS clients

• Syslog

The NGS server is configured from the https://(ip_address)/admin web page. The default username/password is admin/admin.

NTP servers are added in the Server/Date-Time-Settings screen. It is recommended that the System Timezone be set to the timezone where the server is physically located. When NTP is synchronized, you see a message at the bottom of this screen that says, “Status: Active NTP servers” along with the IP address that shows “current time source.”

NGS NTP Configuration

The NGS server needs to be configured with the IP address of the Anchor Controller as a RADIUS client. This screen is located at the Devices/RADIUS-Clients page. Make sure that the shared secret is the same as was entered on the Anchor Controller. Click the Restart button after you make changes to restart the RADIUS service on the NGS server.

RADIUS Clients

By default, the NGS server accepts syslog messages from any IP address. As a result, there are no additional steps required to receive the syslog messages from the ASA.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Follow these steps to verify that URL logging works properly.

1. From a client PC, connect to the wireless guest network. The PC receives an IP address, default gateway, and DNS server from the DHCP server in the Anchor Controller.

2. Open a web browser. You are redirected to a login screen. Enter a guest username and password. Upon successful authentication, you are redirected to a default page on the Internet.

3. Browse to various web pages on the Internet.

4. Connect a management PC to the NGS at https://(ip_address) and login as a sponsor.

5. Click Account Management. You see a list of guest accounts. (If your guest account does not show up, click the Advanced Search button and clear the filter that specifies that this sponsor can only see accounts that they created.)

6. Find the guest user account from the list. Scroll to the right until you see the details icon. Click the details icon.

7. Click the Activity Log tab. You see a list of the URLs that the guest visited.

   URL Logging Report for user

   

The report shows that the guest user visited http://www.cisco.com on April 1, 2009 at 2:51 PM. The Device address of 192.168.59.49 is the IP address of the ASA that sent the syslog message containing the URL log. The source IP address for the guest users is 192.168.0.10. The destination address is 192.168.219.25 for http://www.cisco.com.

Appendices

Appendix A – Wired-Guest option

Up to this point, this article has covered “Integrated URL Logging and Reporting of Guest Traffic” for use in a “wireless-guest” network. This section provides details to configure a “wired-guest,” as well. Wired-guests and wireless-guests can be enabled on the same WLC Foreign Controller.

This is the network diagram for the Wired-Guest Network Lab.

Wired-Guest Lab Topology

The wired-guest lab topology is similar to the wireless-guest lab topology, shown earlier, except for the addition of a wired-guest VLAN. The wired-guest VLAN, shown in red, is a Layer-2 connection between the wired-guest PC and the WLC Foreign Controller. Traffic from the wired-guest is received by the WLC Foreign Controller and sent by EoIP to the WLC Anchor Controller. The WLC Anchor Controller provides DHCP and authentication services for the wired-guest user in the same way it provided these services for the wireless-guest user. The default gateway is the ASA, and the DNS server is a public server on the Internet. Logically, all traffic in and out of the subnet is protected by the ASA.

It is recommended not to configure a Layer-3 interface on the Wired-Guest VLAN since this can enable a hop-off point for traffic to leak out of the wired-guest VLAN into the corporate network.

Appendix B – Detailed Configurations for the WLCs

WLC Anchor Controller

Anchor Controller Interfaces

Configuration of the interfaces on the Anchor Controller is shown:

The ap-manager and management interfaces are on the native VLAN of physical port 1 of the WLC. Port 1 connects to the Catalyst switch and receives traffic from the customer network. Guest traffic is received through the EoIP tunnel from the Foreign Controller and terminates through this port.

The guest interface is on the native VLAN of port 2, and the wired interface is on VLAN 9 of port 2. Port 2 connects to the ASA and is used to send traffic out to the Internet.

Anchor Controller Mobility Groups

For this example, one Mobility Group is configured for the Foreign Controller (Wired) and a separate Mobility Group for the Anchor Controller (Anchor). The configuration on the Anchor Controller is shown.

Anchor Controller WLANs

Anchor Controller - Set Anchor for Guest WLAN

In order to configure or show Mobility Anchors for a WLAN, move your mouse to the drop-down arrow at the right, and choose Mobility Anchors, as shown.

Anchor Controller - Set anchor to itself

Anchor Controller - WLAN for Wireless-Guest Users

Anchor Controller - WLAN for wired-guest users (optional)

Anchor Controller - DHCP Scopes

Anchor Controller - DHCP Scope for Wireless-Guests:

Anchor Controller - DHCP for Wired-Guests (optional):

WLC Foreign Controller

Interfaces

The configuration of the interfaces on the Foreign Controller is shown.

The ap-manager and management interfaces are on the native VLAN of physical port 1 of the WLC.

The wired interface is optional and is only required if you want to provide wired-guest access. The wired interface is on VLAN 8 of physical port 1. This interface receives traffic from the Guest VLAN of the Catalyst switch and sends it out the EoIP tunnel, through the native VLAN, to the Anchor Controller.

Foreign Controller - Mobility Groups

The configuration on the Foreign Controller is shown.

Foreign Controller - WLANs

In order to configure or show Mobility Anchors for a WLAN, move your mouse over the drop-down arrow at the right and choose Mobility Anchors, as shown.

Mobility Anchor set to Anchor Controller

Foreign Controller - Guest WLAN for Wireless-Guest users

s

Foreign Controller - WLAN for Wired-Guest Users (Optional) – Continued

Appendix C – ASA Configuration

ASA-5520# show run
:
ASA Version 8.0(4)26
!
hostname ASA-5520
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.59.49 255.255.255.240
!
interface GigabitEthernet0/2 
   <- Guest traffic enters this interface
 nameif wireless_guest
 security-level 50
 ip address 192.168.0.254 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.99.1 255.255.255.0
 management-only
!
boot system disk0:/asa804-26-k8.bin
clock timezone CST -6
clock summer-time CDT recurring
logging enable
logging timestamp 
   <- provide a timestamp in each syslog message
logging list WebLogging message 304001 
   <- list includes URL Log message (304001)
logging console errors
logging buffered notifications
logging trap WebLogging 
   <- Send this list of Log messages to syslog servers
logging asdm informational
logging facility 21
logging host inside 192.168.215.16 
   <- NGS is the syslog server
asdm image disk0:/asdm-61551.bin
route inside 10.10.10.0 255.255.255.0 192.168.59.62 1
route inside 192.168.215.0 255.255.255.0 192.168.59.62 1
route inside 198.168.1.15 255.255.255.255 192.168.59.62 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.99.0 255.255.255.0 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 198.168.1.15 <- Configure ntp server
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http 
   <- Enable http inspection on the global policy
!
service-policy global_policy global 
   <- Apply the policy
prompt hostname context
Cryptochecksum:b43ff809eacf50f0c9ef0ae2a9abbc1d
: end

Related Information

• Remote Authentication Dial-In User Service (RADIUS)
• Requests for Comments (RFCs)
• Technical Support & Documentation - Cisco Systems