This section covers hotspot WLAN deployment examples. Today, hotspot WLAN deployments (also known as public WLAN access) are prevalent across coffee shops, airports, and hotels. At some locations, hotspot service is provided for free, whereas in other locations, a service fee (a flat fee or usage-based fee) is charged. The deployment scenarios covered in this section include large-scale WLAN deployment in coffee shops by a single service provider and WLAN deployments in airports.
This example discusses a single service provider's deployment of hotspot service across hundreds of coffee shops. Internet access is provided as the primary service, and users are charged for the service. The service provider uses two different models to charge the users. The first model is a prepaid service in which the user is charged on a per-minute basis for Internet access. The second model is a flat service for an unlimited number of minutes for a fixed monthly fee.
When users initially try to access the Internet, they are authenticated using a web browser that is redirected to a web server. Users provide authentication credentials to the service provider using a secure HTTP browser. After the user is successfully authenticated, he is given full access to the Internet.
The customer deployment criteria do the following:
Block user access to the network (HTTP, Telnet, and all other applications) until after successful authentication.
- Use HTTP redirect to force users to authenticate via regional NOC.
- Authenticate users using secure HTTP (SSL-enabled).
Dynamically provision new users. A new subscriber is provisioned dynamically via central NOC using a valid credit card.
Support two billing models: a usage-per-minute model (using a prepaid account) and an unlimited usage model (using a flat-fee monthly account).
Protect the WLAN infrastructure in an open access environment.
The customer deployment environment is as follows:
Each hotspot location (coffee shop) is equipped with a router and an AP to facilitate Internet access.
Customers are allowed to bring in any device for WLAN access (as long as the device supports an Internet browser).
Users are billed per hour or can be provisioned an unlimited access account (based on a monthly fee).
A reliable WAN link exists between a coffee shop and the regional NOC. Internet traffic from authenticated users (valid users) is directed to the Internet gateway via the regional NOC.
Regional NOCs are connected to the central NOC via a service provider network using high-bandwidth WAN links. User authentication traffic is directed to the central NOC where the AAA server, customer DB, and billing server are located.
The WLAN infrastructure was configured with open/no WEP access at each coffee shop to allow users to associate to the network at the Layer 2 level. However, Cisco SSG function was used at the Layer 3 level on the regional NOC router to control user access. Specifically, HTTP redirect was used to authenticate users via the central NOC using secure HTTP protocol. A user must possess a prepaid account or a monthly fee account to authenticate successfully. Also, a user was allowed to provision a new account using HTTP direct via the central NOC. In this scenario, the user provides credit card information via secure HTTP to the service provider and dynamically provisions an account. After the user is successfully authenticated, the SSG gateway at the regional NOC allows the user traffic to be routed to the regional ISP gateway. Figure 13-12 illustrates the customer deployment.
It is critical to protect the WLAN infrastructure in a hotspot deployment. In this deployment, secure management practice was implemented for the APs. This meant disabling Telnet access and enabling SSH access to the APs. SSH, SNMP, HTTP, and RADIUS traffic to the APs was restricted only to servers residing in regional and central NOCs. (WLAN users were disallowed access to the AP.) WLSE was deployed at the central NOC to manage configuration and firmware on the APs. Additionally, RF monitoring was enabled to detect unauthorized activity at hotspot locations. WLSE 2.5 and above, along with 12.2(13)JA AP IOS release or above, is required to enable RF monitoring. To facilitate RF monitoring, the WDS service was enabled on an AP per hotspot location.
In addition to enabling the previous features to secure the WLAN infrastructure, Public Secure Packet Forwarding (PSPF) was implemented to provide some level of security for WLAN hotspot users. PSPF function on the AP disallows communication between users who are associated to the same AP.
Finally, a MAC-address filter was created with a default gateway (DG) MAC address to disallow association of any WLAN user using the DG MAC address. This prevents denial-of-service (DoS) and man-in-the-middle (MitM) attacks using the DG MAC address. This function is available on 12.2(13)JA AP IOS release and above.
WLAN is typically deployed at an airport for private and public use. Private use of a WLAN by airlines for operational functions such as baggage handling and passenger check-in is common across many airports. Public use such as hotspot deployment to facilitate Internet access is also common across many airports. It has become common practice to leverage a single WLAN infrastructure for both private and public WAN deployment examples, hotspot WLAN deployment examples, coffee shop WLAN hotspot deployment examples, and public usage at an airport. This example captures details of a typical WLAN deployment at an airport.
The customer deployment criteria are the following:
A single WLAN infrastructure is used to provide services to multiple parties: both "private" and public WLAN access.
Typical private use: An airline employee uses WLAN access to execute customer check-in and baggage-handling functions.
Allow a service provider to provide hotspot service.
The customer deployment environment is as follows:
WLAN coverage is provided throughout the airport.
Both wireless and wired infrastructure is owned by the airport authority.
Airlines own their back-end infrastructure for private applications (such as customer check-in and baggage handling).
A hotspot (public Internet access) service provider router is located on the airport premises.
Multiple SSID and VLAN functionalities on the Cisco AP platforms were used to provide both public and private access using a single WLAN infrastructure. A private SSID/VLAN was created according to specifications by an airline for its private usage. For example, an airline company might choose to implement IPSec over WLAN as the security model to secure its private data over the shared WLAN infrastructure. In this scenario, each end client must be equipped with a VPN client, and the IPSec session would terminate on the VPN concentrator located at the airline's back-end infrastructure (the airline's private wired LAN). However, one of the challenges with IPSec over WLAN is end-device support. For example, the VPN client might not be available for WLAN-enabled handheld devices used by airline employees for baggage tracking and handling activities.
Alternatively, the airline could choose to implement EAP/802.1x with WPA over the WLAN security model for these handheld devices (if possible) and then securely tunnel the traffic to the airline's private LAN. If not EAP/802.1x with WPA over the WLAN security model, another security mechanism to consider would be SSL-enabled VPN. In this scenario, each handheld device would use an SSL-enabled application to secure transactions with an SSL-enabled VPN concentrator located at the airline's private VLAN.
Figure 13-13 illustrates the overall topology for an airport wireless LAN and wired LAN deployment. As shown in the figure, multiple SSIDs and wired VLANs facilitate both private and public applications over the same WLAN infrastructure. Up to 16 SSIDs and VLANs (including management VLAN for the APs) can be enabled on the Cisco wireless LAN infrastructure.
To facilitate hotspot service, an open/no WEP SSID/VLAN was provisioned across the airport on all APs. Traffic from the hotspot VLAN was GRE-tunneled to the service provider's router (SSG-enabled) located on the airport premises. The service provider used the same model described in the coffee shop example to dynamically provision users, authenticate users, and allow Internet access for valid users. Refer to the coffee shop example for additional information on providing hotspot Internet access services.