《引擎盖下的开放式漫游.pdf》由会员分享,可在线阅读,更多相关《引擎盖下的开放式漫游.pdf(53页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveBart Brinckman Distinguished EBRKEWN-2037OpenRoaming under the hoodFlavio Correa Technical Solutions A 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker a
2、fter the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.A
3、ll rights reserved.Cisco PublicBRKEWN-20373Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat is it and why would I use it?How it works under the hoodYour own Identity:SDK and Web-based provisioningConfiguring and troubleshootingSeamless RoamingCarrier OffloadConclusionBRKE
4、WN-20374What is OpenRoaming&why would I use it?We start with 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe problemBRKEWN-20376 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOur Goal:Intelligent Multi-AccessSeamless HandoverSeamless Handov
5、erRoaming between Wi-Fi(private)and cellular(public)Seamless InterworkingSeamless InterworkingPolicy-based path selection forLoosely coupled Access NetworksFrictionless OnboardingFrictionless OnboardingOpenRoaming(assure access to all available paths)Seamless roaming across enterprise and service pr
6、ovider based on context and policyAccess providersPublicEnt.GuestHomeDrivingCorporateofficeCustomercall in the carVisit to the secure warehouseCoffee shopHotelIdentity providersService-basedFootball matchWiFi65GConverged Access for People and ThingsTo use all wireless stacks better,we need 2023 Cisc
7、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenRoaming is a federation of identity&access providers to enable seamless roaming&onboardingIdentity FederationOpenRoaming:Opening the Wi-Fi Ecosystem to new experiences&business modelsLeverage Identity Federation to scale and facil
8、itate relationshipsJoinJoinJoinJoinGuest/Thing on Wi-FiLegal FrameworkDiscovery,Policy,Security&PrivacyAccess providersIdentity providersVenue/LoyaltyMSOWeb/CloudEnterpriseEnterpriseHealthcareRetailHospitalityEducationSmart CityMNODeviceBRKEWN-20378 2023 Cisco and/or its affiliates.All rights reserv
9、ed.Cisco Public#CiscoLiveWhich IDs are available?9:41 AM100%Open RoamingTo enjoy seamless and secure WiFi,please choose an account for activation Continue with AppleContinue with GoogleOpenRoaming Cloud IDDevice EmbeddedLoyaltyEnterpriseService ProviderBRKEWN-20379 2023 Cisco and/or its affiliates.A
10、ll rights reserved.Cisco Public#CiscoLiveUse case:Seamless onboarding use caseUse Case:Use Case:Get users seamlessly and securely connected to a venues Wi-Fi network Value proposition:Value proposition:UserUserBetter user experience,device is on the internet and ready to goEnhanced Security&Privacy
11、vs portal-based solutionVenueVenueImproved customer experience&satisfactionReduced IT and non-IT staff burden:Wi-Fi as easy as powerSecure and private:lower exposure to malicious actorsAnalytics venue flow and density analyticsWho should run it?Who should run it?Public areas:Municipal Wi-Fi,librarie
12、s,public buildingsHealthcare:Hospitals and care centersTransportation:Airports and train stationsRetail:Shopping malls,big box storesHospitality:Hotels and event venuesVia Wi-Fi PickerVia Notification BarBRKEWN-203710 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse cas
13、e:Service provider indoor coverageUse Case:Use Case:Improve bad SP indoor coverage at a fraction of the cost of DAS(Digital Antenna Systems)Value proposition:Value proposition:UserUserGood indoor voice and dataVenueVenueImproved customer experience&satisfactionReduced IT and non-IT staff burden:Wi-F
14、i as easy as powerLower cost alternative than DAS or in combination with DAS for lower-cost capacityOwn the Analytics:venue flow and density analyticsWho should run it?Who should run it?Public indoor areas:libraries,public buildingsHealthcare:Hospitals and care centersTransportation:Airports and tra
15、in stationsRetail:Shopping malls,big box stores,spermarketsHospitality:Hotels and event venuesCost-comparison to DASSP1 on DAS*SP2 on Wi-Fi*BRKEWN-203711 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse case:Smart contextual loyalty experiencesUse Case:Use Case:Connect
16、loyalty users and visitors seamlessly,get person-based insights,and communicate with visitor in real-timeValue proposition:Value proposition:UserUserBetter user experience,device is on the internet and ready to goAble to communicate with the venue in real-timeVenueVenueImproved customer experience&s
17、atisfactionReduced IT and non-IT staff burden:Wi-Fi as easy as powerBetter persona-based AnalyticsReal-time location-based notificationsWho should run it?Who should run it?Retail:Shopping malls,big box stores,grocery stores with loyalty programsHospitality:Hotels with loyalty programs,events with ev
18、ent/fan apps,Healthcare:Hospitals with patient appsBRKEWN-203712 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse Case summarySmart,Contextual Loyalty ExperiencesiOS&Android:DNA Spaces SDKWeb-based APIs for Web and PortalSeamless,Secure Onboarding&User InsightsOpenRoami
19、ng Mobile AppDevices with Native SupportPublicly available IDPsEnhance Carrier Indoor CoverageService Provider(SP)Offload to Wi-FiCisco Spaces SEECisco Spaces ACTCisco Spaces EXTENDBRKEWN-203713Catalyst Wireless customers with DNA Advantage license have Cisco Spaces SEE and EXTEND included and can b
20、e enabled today!How it works:under the hoodWhat we are all here for 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe basic idea:Leverage and modernize roamingIdentity providersVenue/LoyaltyMNOMSOWebEnterprise1 1PrePre-association policy exchange:association policy excha
21、nge:Market reality drives to leverage widely adopted technology and improve over timePassPointPassPointPhase 1:leverage what is supportedPhase 1:leverage what is supportedRepurpose home/visited concept Repurpose home/visited concept so signal IDP prioritization so signal IDP prioritization leverage
22、5 Byte RCOI field to leverage 5 Byte RCOI field to signal policysignal policyPhase 2:Improve the standardPhase 2:Improve the standardUpdate standard attributes to Update standard attributes to support policy exchangesupport policy exchange2 2Scalable and secure roaming Scalable and secure roaming so
23、lution solution that is open to any IDP and scales to millions of participantsSPSPHubSPSPSPSPSPSPCurrent methodologies scale to 100s of participantsCurrent methodologies scale to 100s of participantsBilateral agreementsRoaming HUBsIdentity federation scales to millions of participants:Identity feder
24、ation scales to millions of participants:BRKEWN-203715 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenRoaming:Building blocksAccess Provider SignupIdP SignupIdentity ProviderIdentity Provideropen-roaming Identity FederationAuthentication&AccountingService discoverySer
25、vice AdvertisementWi-Fi Access NetworkIdentity Provider1 1Identity Federation:PKI-based trust model and legal framework3 3Dynamic policy at the edge enables real-time ad-hoc roaming agreements2 2Federation that dynamically discovers peers&services and allows for secure direct peering PolicyPolicyPol
26、icyPolicy4 4Secure Authentication and accounting over TLS5 5Proxy services can connect cloud-based identities or offer value-added services(e.g.settlement)Proxy ServiceBRKEWN-203716 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFederation ArchitecturePKI FrameworkLegal F
27、rameworkEnd user Terms of ServiceIdentity Provider agreementAccess Network agreementWBA ROOT CACISCO SIGNING I-CAGOOGLESIGNING I-CAWBA SIGNING I-CAKYRIO SIGNING I-CAWBA POLICY CAgoverns acceptable use and privacy Govern roamingGoverns service and acceptable useCisco customers&partnersGoogle customer
28、s&partnersWBA membersAnyone(paid)BRKEWN-203717 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAireOS/Catalyst Architectureopen-roaming Identity FederationRADSECIDPHotspot connectorRADSEC PROXY(or AAA)AAACredentialCertificate Authority&Revocation serviceSign-up/ManageCrede
29、ntialControllerRADIUSRADIUSOpenRoaming.org PKI managementDNS-based IDP discoveryTLS tunnel managementRADIUS-RADSEC proxyRADIUS attribute adaptationManagementWebsocketBRKEWN-203718 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki Architectureopen-roaming Identity Fede
30、rationIDPRADSEC PROXY(or AAA)AAACredentialSign-up/ManageCredentialRADIUSRADIUS overNext-TunnelMeraki CloudMeraki API provisioning(Certs,SSID)RADSECBRKEWN-203719 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWi-Fi Access NetworkOpenRoaming Complete FlowIdentityProviderAut
31、hentication,Policy,AccountingAuthentication,Policy,AccountingANQP+EAP-based User AuthenticationTLS based encryptionEnterprise based securityIDP controls privacyIDP DiscoveryIDP DiscoveryConfigure DNSConfigure DNSOpenRoamingIdentity FederationDevice AutomaticSSID discoveryusing PassPointBRKEWN-203720
32、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWi-Fi Access NetworkOnboarding flow SSID discover and selectionIdentityProviderANQP+EAP-based User AuthenticationEnterprise based securityIDP controls privacyConfigure DNSConfigure DNSOpenRoamingIdentity FederationDevice Aut
33、omaticSSID discoveryusing PassPointBRKEWN-203721 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSSID discovery and selection using 802.11uDeviceAP/WLCDevice roams into wireless coverageDevice selects profile802.11u Scan Request802.11u Scan Report802.11u GAS request(AQNP Q
34、uery)802.11u GAS response(AQNP Resp)Associate1 1AP Beacon or Probe response infoRCOIs:0040965a03ba0000BRKEWN-203722 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenRoaming RCOIDescriptionDescriptionWBA Roaming OIWBA Roaming OICisco Roaming OICisco Roaming OIAll5A03BA00
35、00 004096All with real-ID only5A03BA100000500BAll paidBAA2D0000000500FDevice Manufacturer 5A03BA0A0000502ADevice Manufacturer real-ID5A03BA1A000050A7Cloud ID5A03BA0200005014Cloud ID real-ID5A03BA12000050BDEnterprise ID 5A03BA030000503EEnterprise ID real ID5A03BA13000050D1Enterprise Customer program
36、IDNot defined005050Enterprise Customer program real IDNot defined0050E2Loyalty Retail5A03BA0B00005053Loyalty Retail real ID5A03BA1B000050F0Loyalty Hospitality 5A03BA0600005054Loyalty Hospitality real ID5A03BA160000562BSP free Bronze Qos5A03BA0100005073SP free Bronze Qos Real ID5A03BA11000057D2SP pai
37、d Bronze QoSBAA2D00100Not definedSP paid Bronze QoS real IDBAA2D01100Not definedSP paid Silver QoSBAA2D02100Not definedSP paid Silver QoS real IDBAA2D03100Not definedSP paid Gold QoSBAA2D04100Not definedSP paid Gold QoS real IDBAA2D05100Not definedRoaming Consortium Organization Identifier(RCOI):All
38、ow all:Accepts users from any identity provider(IDP),with any privacy policy.Real ID:Accepts users from any IDP,but only with a privacy policy that shares real identity(anonymous not accepted).Custom:Accepts users of select identity types and privacy policies associated with the identity types.New I
39、D Types in OR-Std:WBA Roaming OIWBA Roaming OICisco Roaming OICisco Roaming OIGovernment ID free5A03BA0400Not definedAutomotive ID free5A03BA0500Not definedAutomotive PaidBAA2D00500Not definedEducation/Research ID free5A03BA0800Not definedCable ID free5A03BA0900Not defined 2023 Cisco and/or its affi
40、liates.All rights reserved.Cisco Public#CiscoLive802.11u GAS Initial Request(STA)and Response(AP)AP response.11u and ANQPDeviceAP/WLCDevice roams into wireless coverageDevice selects profile802.11u Scan Request802.11u Scan Report802.11u GAS request(AQNP Query)802.11u GAS response(AQNP Resp)Associate
41、2 2STA request additional information.11u and ANQPDomain:NAI Realm:openroaming.orgBRKEWN-203724 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWi-Fi Access NetworkOnboarding flow IDP DiscoveryIdentityProviderANQP+EAP-based User AuthenticationEnterprise based securityIDP c
42、ontrols privacyIDP DiscoveryIDP DiscoveryConfigure DNSConfigure DNSOpenRoamingIdentity FederationDevice AutomaticSSID discoveryusing PassPointBRKEWN-203725 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIDP Discovery Call Flow(RFC-7585)Access ProviderAccess ProviderIdenti
43、ty ProviderIdentity ProviderIDP DNSConnectorAP/WLCDeviceEAPOL StartDevice roams into wireless coverageEAP Request IdentityEAP Response Identity()RADIUS Access Request(User-Name:)NAPTR Query w/Realm()NAPTR Response(protocol+SRV record)SRV Query w/SRV RecordA Query with FQDN recordA Response(AAA IP Ad
44、dress)SRV Response(FQDN+port number)dig dig-t t naptrnaptr .300 IN NAPTR 50 50 s aaa+auth:radius.tls.tcp _ _radiustlsradiustls._._.BRKEWN-203726AT&T PLMN 410AT&T PLMN 410dig dig-t t naptrnaptr wlan.mnc410.mcc310.wlan.mnc410.mcc310.pubpub.3gppnetwork.org.3gppnetwork.orgwlan.mnc410.mcc310.pub.3gppnetw
45、ork.org.3600 IN NAPTR 50 50 s aaa+auth:radius.tls.tcp _radiustls._radiustls._.dig dig-t t srvsrv _radiustls._._radiustls._._radiustls._.300 IN SRV 0 10 2083 2083 .dig dig-t a t a .300 IN CNAME public-radius-.public-radius-.60 IN CNAME a8f7a7d1bd6e54b4babbed926a990720-b4bc5d7f98840512.elb.us-east-.a8
46、f7a7d1bd6e54b4babbed926a990720-b4bc5d7f98840512.elb.us-east-.60 IN A 54.146.180.22654.146.180.226a8f7a7d1bd6e54b4babbed926a990720-.60 dig dig-t a t a .300 IN A 3.208.239.1443.208.239.144dig dig-t t srvsrv _ _radiustlsradiustls._._radiustls._.300 IN SRV 0 10 2083 2083 .2023 Cisco and/or its affiliate
47、s.All rights reserved.Cisco Public#CiscoLiveWi-Fi Access NetworkOnboarding flow Secure Tunnel for AuthenticationIdentityProviderANQP+EAP-based User AuthenticationTLS based encryptionEnterprise based securityIDP controls privacyIDP DiscoveryIDP DiscoveryConfigure DNSConfigure DNSOpenRoamingIdentity F
48、ederationDevice AutomaticSSID discoveryusing PassPointBRKEWN-203727 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTLS Tunnel Setup Between Access Provider and IDPAccess ProviderAccess ProviderIdentity ProviderIdentity ProviderIDP AAATLS Certificate ClientKeyExchange,Cert
49、ificate Verify,Change Cipher Spec,FinishedTCP SYNTCP SYN ACKTLS Server Hello,Server Certificate,Certificate Request,ServerHelloDoneTLS Client HelloTLS Change Cipher Spec,FinishedConnectorConnector verifies Server certificate,certificate chain,validity,revocation,CN vs AAA FQDN,SubjectAltName vs Real
50、m IDP AAA verifies Client Certificate:certificate chain,validity,revocation,UID vs Operator-ID(optional)opensslopenssl s_clients_client-connect :2083connect :2083=check SSL connectionCONNECTED(00000005)depth=3 C=US,ST=California,L=San Jose,O=Cisco Systems,Inc.,OU=Openroaming,CN=openroaming.org,email
51、Address=enb-verify error:num=19:self signed certificate in certificate chainverify return:02688:error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:/AppleInternal/Library/BuildRoots/97f6331a-ba75-11ed-a4bc-863efbbaf80d/Library/Caches/com.apple.xbs/Sources/libressl/
52、libressl-3.3/ssl/ssl_pkt.c:1008:SSL alert number 42-Certificate chain0 s:/C=US/ST=CA/O=Cisco/CN=i:/C=US/O=Cisco Systems Inc./OU=DNASpaces/ST=California/CN=cisco.openroaming.org/L=San Jose1 s:/C=US/O=Cisco Systems Inc./OU=DNASpaces/ST=California/CN=cisco.openroaming.org/L=San Josei:/C=SG/ST=Singapore
53、/L=Singapore/O=Wireless Broadband Alliance/OU=WBA/CN=openroaming.org/dnQualifier=WBA WRIX ECC Policy Intermediate CA-012 s:/C=SG/ST=Singapore/L=Singapore/O=Wireless Broadband Alliance/OU=WBA/CN=openroaming.org/dnQualifier=WBA WRIX ECC Policy Intermediate CA-01i:/C=US/ST=California/L=San Jose/O=Cisco
54、 Systems,Inc./OU=Openroaming/CN=openroaming.org/emailAddress=enb-3 s:/C=US/ST=California/L=San Jose/O=Cisco Systems,Inc./OU=Openroaming/CN=openroaming.org/emailAddress=enb-i:/C=US/ST=California/L=San Jose/O=Cisco Systems,Inc./OU=Openroaming/CN=openroaming.org/emailAddress=enb-Server certificateServe
55、r certificatesubject=/C=US/ST=CA/O=Cisco/CN=CN=issuer=/C=US/O=Cisco Systems Inc./OU=DNASpaces/ST=California/CN=cisco.openroaming.org/L=San Jose-Acceptable client certificate CA names/C=US/ST=California/L=San Jose/O=Cisco Systems,Inc./OU=Openroaming/CN=openroaming.org/emailAddress=enb-Server Temp Key
56、:ECDH,P-256,256 bits-SSL handshake has read 6164 bytes and written 138 bytes-New,TLSv1/SSLv3,Cipher is ECDHE-RSA-AES256-GCM-SHA384Server public key is 2048 bitSecure Renegotiation IS supportedCompression:NONEExpansion:NONENo ALPN negotiatedSSL-Session:Protocol:TLSv1.2Cipher:ECDHE-RSA-AES256-GCM-SHA3
57、84Session-ID:9965F3B5DF5C740E7FEF85D01DB29FA2688237B007C46EDE537DF169031276B7Session-ID-ctx:Master-Key:81A4848377685711A43018559E14CA4842A82FDC27017D1CCD6F32894DC32148219A91C5ED7F4E4865734CBF50417E6DStart Time:1683543981Timeout:7200(sec)Verify return code:19(self signed certificate in certificate ch
58、ain)-opensslopenssl s_clients_client-connect :2083connect :2083-showcertsshowcerts=show certificate chainopensslopenssl s_clients_client-connect :2083connect :2083-msgmsg=show all messagesBRKEWN-203728 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWi-Fi Access NetworkOnb
59、oarding flow-AuthenticationIdentityProviderAuthentication,Policy,AccountingAuthentication,Policy,AccountingANQP+EAP-based User AuthenticationTLS based encryptionEnterprise based securityIDP controls privacyIDP DiscoveryIDP DiscoveryConfigure DNSConfigure DNSOpenRoamingIdentity FederationDevice Autom
60、aticSSID discoveryusing PassPointBRKEWN-203729 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRADSEC EAP Authentication:EAP-TTLSAccess Access ProviderProviderIdentity Identity ProviderProviderIDP DNSDeviceAP/WLCConnectorDevice roams into wireless coverageIDP AAADevice sel
61、ects profileRADIUS Access RequestRADIUS Access Request(User(User-Name:Name:)IDP Discovery(1)TLS Tunnel Setup(2)RADSEC Access Request(User-Name:)RADSEC Challenge request(request TLS exchange)RADIUS Challenge request(request TLS exchange)RADIUS Challenge response(response TLS exchange)RADSEC Challenge
62、 response(response TLS exchange)RADSEC Challenge request(request TLS inner identity)RADIUS Challenge request(request TLS inner identity)RADIUS Challenge response(TLS inner identity)RADSEC Challenge response(response TLS exchange)RADSEC Access Accept(unique identifier)RADIUS Access Accept(unique iden
63、tifier)802.11u Scan Request802.11u Scan Report802.11u GAS request(AQNP Query)802.11u GAS response(AQNP Resp)AssociateEAP Request IdentityEAP Response Identity()EAP Request TLS exchangeEAP Response TLS exchangeEAP Request TLS inner identityEAP Response TLS inner identityEAP Access Accept(unique ident
64、ifier)BRKEWN-203730 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRADSEC EAP Authentication:EAP-TTLS(detailed)AP/WLC Radius Access-Request to Spaces Connector:=Outer/Anonymous User Name=NAS is the AP/WLC=AP Radio MAC:SSIDBRKEWN-203731 2023 Cisco and/or its affiliates.All
65、 rights reserved.Cisco Public#CiscoLiveRADSEC EAP Authentication:EAP-TTLSAccess Access ProviderProviderIdentity Identity ProviderProviderIDP DNSDeviceAP/WLCConnectorDevice roams into wireless coverageIDP AAADevice selects profileRADIUS Access Request(User-Name:)IDP Discovery(1)TLS Tunnel Setup(2)RAD
66、SEC Access Request(User-Name:)RADSEC Challenge request(request TLS exchange)RADIUS Challenge request(request RADIUS Challenge request(request TLS exchange)TLS exchange)RADIUS Challenge response(response TLS exchange)RADSEC Challenge response(response TLS exchange)RADSEC Challenge request(request TLS
67、 inner identity)RADIUS Challenge request(request TLS inner identity)RADIUS Challenge response(TLS inner identity)RADSEC Challenge response(response TLS exchange)RADSEC Access Accept(unique identifier)RADIUS Access Accept(unique identifier)802.11u Scan Request802.11u Scan Report802.11u GAS request(AQ
68、NP Query)802.11u GAS response(AQNP Resp)AssociateEAP Request IdentityEAP Response Identity()EAP Request TLS exchangeEAP Response TLS exchangeEAP Request TLS inner identityEAP Response TLS inner identityEAP Access Accept(unique identifier)BRKEWN-203732 2023 Cisco and/or its affiliates.All rights rese
69、rved.Cisco Public#CiscoLiveRADSEC EAP Authentication:EAP-TTLS(detailed)Spaces Connector Radius Access-Accept to AP/WLC:=Inner Identity user shared the email=Unique IdentifierBRKEWN-203733 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenRoaming Privacy Built-in1 1Authen
70、tication is privateAuthentication is privateSecure and private authentication between users device and IDP IDP3 3IDP shares identities on the users behalfIDP shares identities on the users behalfIDP manages identity and privacy for the user2 2User and device are identified in contextUser and device
71、are identified in contextIdentified with persistent Device ID and User ID with IDP contextIDP shares(anonymized)data in the secured pathDevice IDDevice IDUser IDUser ID4 4Privacy with user consentPrivacy with user consentUser controls privacy,identifiers are always persistentShare my email Share my
72、email Hide my emailHide my IDPWi-Fi Access NetworkBRKEWN-203734Provisioning your credentials 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDK for iOS&AndroidAppSDKApp IdentityBackendIDPaaSAPIsProfile ManagementOpenID ConnectSAMLProvisioningAuthenticationhttps:/ 2023 Cis
73、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSpaces SDKMain SDK methodsInitializationThe app registers with the Cisco Spaces account using the account API key.User Identity AssociationUser logs onto the app using either:o IDP supported by Cisco Spaces Backendo Enterprise or Loy
74、alty IDUser sets their privacy preferenceInstall OpenRoaming ProfileThe profile associated with the user identity is installed on their deviceAllows devices to automatically log into OpenRoaming networksEnable Push NotificationsAllows for Cisco Spaces backend to send notifications to user devicesLoc
75、ation InformationThe app will report back the current location of the device back to Cisco SpacesThe location can be used for use cases like wayfinding or targeted engagementsBRKEWN-203737Configuring OpenRoaming 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCreate an Ope
76、nRoaming ProfileEnable Hotspot ConnectorSelect Catalyst controllerConfigure the OpenRoaming SSIDSpaces OpenRoaming Configuration Steps1 12 23 34 4Create an OpenRoaming ProfileEnable Meraki APISelect Meraki networkConfigure the OpenRoaming SSID1 12 23 34 4BRKEWN-203739CatalystWireless 2023 Cisco and/
77、or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenRoaming profile:Access PoliciesBRKEWN-203740 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKEWN-203741 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Spaces Policy Example
78、sUse CaseAccess ProviderIdentity ProviderCSpacesAccess PolicyCSpaces RCOIsCSpacesPreferred CredentialsRetail Improve analyticsRetail storesAll including anonymousAccept Allallow-all(RCOI 004096&5A03BA0000)I dont haveHospital better Indoor coverageRetail stores All+SPsAccept All+Carrier Offloadallow-
79、all(RCOI 004096&5A03BA0000)I dont haveRetail Loyalty customer experienceRetail stores Only my loyalty customersAccept only your Hotel seamless experience for specific visitorsHotel propertiesCloud and Dev ManufacturerAccept specified identity typesRCOI 005014 cloud,00502a-dev manufactI dont haveVenu
80、e indoor coverage and monetizationVenue locationSPs via settlement providerAccept only your users+Carrier OffloadnoneSP realmsBRKEWN-203742 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenRoaming Stats&Metrics DNA SpacesBRKEWN-203743Conclusion 2023 Cisco and/or its aff
81、iliates.All rights reserved.Cisco Public#CiscoLiveConclusion:Try OpenRoaming!If you do not have a Spaces account,get a free trial:https:/ you have a spaces account,log in and activate OpenRoaming:https:/ciscospaces.io/login9:41 AM100%Open RoamingTo enjoy seamless and secure WiFi,please choose an acc
82、ount for activation Continue with AppleContinue with GoogleOpenRoaming Try it out!BRKEWN-203745 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveReferences to learn more about OpenRoamingCatalyst 9800 WLC Config Guide OpenRoaming:https:/ OpenRoaming integration with Cisco S
83、paces Documentation:https:/ Spaces OpenRoaming Configuration Guide:https:/ Spaces Connector 3.0 Config Guide:https:/ to configure OpenRoaming at C9800 Video:https:/youtu.be/XsD6e6F6u4kCisco Spaces SDK:https:/ OpenRoaming:https:/ previewNew Spaces DashboardBONUS Materials!2023 Cisco and/or its affili
84、ates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning
85、daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKEWN-203749 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meeti
86、ngAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive52Gamify your Cisco Live experience!Get points for attending this sessi
87、on!Get points for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123452 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKEWN-2037#CiscoLive