This document provides design guidance for enterprises that want to provide Internet and limited corporate access for their guests and partners. Several solutions for guest and partner access challenges are proposed and analyzed in this document, at both the architectural and functional levels. For related information, see the following documents: • Network Virtualization—Guest and Partner Access Deployment Guide (OL-13635-01) • Network Virtualization—Network Admission Control Deployment Guide (OL-13636-01) • Network Virtualization—Network Hosted Access Deployment Guide (OL-13634-01) • Network Virtualization—Path Isolation Design Guide (OL-13638-01) • Network Virtualization—Services Edge Design Guide (OL-13637-01). | Network Virtualization Access Control Design Guide This document provides design guidance for enterprises that want to provide Internet and limited corporate access for their guests and partners. Several solutions for guest and partner access challenges are proposed and analyzed in this document at both the architectural and functional levels. For related information see the following documents Network Virtualization Guest and Partner Access Deployment Guide OL-13635-01 Network Virtualization Network Admission Control Deployment Guide OL-13636-01 Network Virtualization Network Hosted Access Deployment Guide OL-13634-01 Network Virtualization Path Isolation Design Guide OL-13638-01 Network Virtualization Services Edge Design Guide OL-13637-01 Contents Introduction 3 Technology Scope 5 Client-Based Authentication 6 Framework 6 Wireless Guest Access 7 Lightweight Access Point Deployment with the Cisco WLAN Controller 7 Authentication Failure VLAN Wired 11 Auth-Fail-VLAN Operational Overview 13 Auth-Fail-VLAN Configuration 13 Auth-Fail-VLAN Verification 14 Auth-Fail-VLAN Summary and Recommendations 17 Clientless-Based Authentication 18 Static VLAN Configuration 19 Americas Headquarters Cisco Systems Inc. 170 West Tasman Drive San Jose CA 95134-1706 USA 2007 Cisco Systems Inc. All rights reserved. Contents Guest-VLAN 19 Guest-VLAN Functionality 19 Guest-VLAN Configuration 20 Wake-on-LAN Primer 23 Guest-VLAN and WoL Interaction 24 Interaction with VoIP Deployments 26 Guest-VLAN Summary 32 MAC Authentication Primer 32 MAC Authentication Bypass Operational Overview 34 Rehearsal 34 Guest-VLAN Rehearsal 35 MAB Operation 36 Functional Details 38 MAC Authentication Bypass Configuration and Verification 39 Configuration 39 Timeout 40 Verification 44 MAC Authentication Bypass Feature Interaction 45 MAB and EAPOL Interaction 45 MAB and the Guest-VLAN 46 MAB and WoL Interaction 47 MAC Authentication Bypass Opportunities and Benefits