As knowledge workers continue to work remotely, work from home has rapidly escalated from one of many remote work options to “the remote work option”. For Network Administrators, this means enabling employees with the basics – laptops and corporate network connectivity and optimizing application delivery despite unpredictable network performance due to bandwidth contention and latency. This can also result in increased tech support calls from the end-user complaining about the VPN connectivity and poor network performance.
Cisco’s Remote Workforce Wireless Solution allows a Network Administrator to extend the secure, scalable, and manageable corporate WLAN across the internet to the remote workers home. This allows the remote worker to securely connect back to the private network from their home simply using their regular wireless profile and not having to set up a VPN or other type of remote access. Remote users will be able to connect, have access to corporate resources, and “feel” just like they are connected to the wireless network at the corporate office.
The ease of work from home for employees should not come at a cost of increased administrative load and pre-configuration of access points for network admins. To address this, Cisco’s Remote Workforce Wireless Solution makes the remote work option seamless for employees as well as for network administrators using zero-touch deployment.
The simple architecture of Remote Workforce Wireless Solution consists of the remote site and corporate office components. The remote site is the home network of the remote worker and consists of a home router and Cisco’s Access Point. The office component consists of Cisco PnP cloud and Catalyst 9800 Wireless LAN Controller.
How does it work?
Cisco’s Remote Workforce Wireless Solution focuses on zero-touch deployment and significantly reduces the extra efforts of employee-specific access point configuration. The network administrator does not have to preconfigure the access points and it can be directly shipped to the remote worker’s home with no configuration. The remote worker will just need to power up the Cisco AP and connect it behind the home router. The AP will boot, connect to the corporate Wireless LAN Controller (WLC), and will start broadcasting the corporate wireless network at the remote worker’s home.
Admins can use Cisco’s Network Plug and Play (PnP) to provision the AP’s. On the PnP cloud, admins will have the profiles defined for AP’s based on the AP serial number. The controller profile has information about the primary and secondary IP address of the corporate WLC. The admin can simply import the AP serial numbers using a CSV file and assign them a controller profile.
Let’s explore the workflow in detail. After initial boot up, the AP will get the IP address from the home router and connect to the PnP cloud at software.cisco.com. When the PnP cloud receives redirection requests from the AP, it will check for the serial number, assign controller profile, and send the details of corporate wireless controller’s IP address to the AP. The AP will then use this IP address to form a secure Control and Provisioning of Wireless Access (CAPWAP) tunnel with the corporate WLC.
Once the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel is formed, the AP will download the latest available software and all the advanced configurations from the corporate WLC. The AP will move to OEAP mode with data encryption enabled. After the AP joins the controller, it will start broadcasting the corporate wireless network at the remote worker’s home. The remote worker now can connect to this wireless network using secure enterprise authentication and access the corporate resources and the internet. To make sure that unauthorized AP’s should not join the corporate WLC, the admin can enable the AP authentication on WLC.
What are the Added Advantages of Remote Workforce Wireless Solution over VPN?
In Remote Workforce Wireless Solution, the AP is in OEAP mode which uses a secure Datagram Transport Layer Security (DTLS) connection between the access point and the controller. With simple onboarding, the end-user does not need to install any VPN software and can connect multiple devices to the corporate network. Having corporate SSID broadcasted at home makes it easy to connect and eliminates the need to ever sign on to a VPN.
How does the Remote Workforce Wireless Solution Benefit the Network Admin and Remote Worker?
Remote Worker:
Cisco’s Remote Workforce Wireless Solution provides the highest level of security and enables the deployments of additional hardware such as Cisco IP phones. This effectively creates a small office for the employee giving them all the access they will expect while at the office. In addition, the solution allows spouses and children to access the Internet, using custom personal SSID, without introducing additional security risks to corporate policy.
Network Administrators:
By using the same management, operations, and infrastructure as the corporate WLAN, the solution simplifies the process of extending real-time, high-performance network services to remote locations. Network admins have more control and visibility which helps in troubleshooting any connectivity issues from the remote worker side and gives them the ability to differentiate issues between ISP versus corporate. Admins do not have to define new security policies and the existing Cisco TrustSec policies can be extended to have a more secure network.
Recommended Products for Remote Workforce Wireless Solution on IOS XE Software 17.3.1 Release:
Learn more about Cisco Catalyst 9800 Wireless Controllers and the OEAP Configuration.
Subscribe to the Networking blog
Nice blog, clear and neat explanations.
Very informative!
Well explained!!
Good information. Is the solution available in 16.12 release?
Hi David,
The recommended releases for this solution are IOS XE 17.3.1 and above.
Just curious how this is different from the teleworker capability offered much earlier by OEAP 602.
OEAP doesn’t have any central orchestration, so IT admin has to configure access points manually before sending them to users.
With Remote Workforce Wireless solutions, users can get the device directly from the manufacture (Bypass IT). The image download time is significantly reduced by using larger CAPWAP window size. It uses PnP (Plug-n-Play) cloud to get all the designated configurations and download them into the device automatically.
Existing OEAP solution does not support DIA (split tunneling) for cloud applications.
The new solutions support DIA (split tunneling) where policy can be defined for traffic to be tunneled from wireless controller or switch locally to the Internet.
In regards to security, OEAP does not offer Umbrella security and TrustSec. It also can’t apply QOS policies to video or audio traffic. This new solution offers the same security policies and application experience that you would have at a campus or branch location.
Does the Catalyst 9800 platform (17.x code train) support automatic RRM and Tx power level control for OEAPs?
Yes, it supports RRM and Tx power level control. The recommended releases are 17.3.1 and above.
Well explained Bhushan. Very informative.
Informative !