https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862917#M28966 <P>During our implementation of Guest Wireless (currently ongoing), we are trying to decide where to point to for DNS.</P><P></P><P>We have a 5508 WLC in our Internet DMZ and it acts as the Anchor WLC. This WLC is also used as the DHCP server for the Guest Wireless clients.</P><P></P><P>We are debating whether to point the clients internally to our primary DNS servers, or externally to the public service provider DNS servers. The only DNS servers in the DMZ are external forwarders.</P><P></P><P>From a network standpoint, I think either solution would work. But from a security standpoint, which is better? Or is there another option?</P><P></P><P>Can anyone recommend a standard or best practice design when it comes to DNS for Guest Wireless?</P><P></P><P>Thanks in advance!</P> Sun, 04 Jul 2021 04:26:57 GMT Jason Wing 2021-07-04T04:26:57Z https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862917#M28966 <P>During our implementation of Guest Wireless (currently ongoing), we are trying to decide where to point to for DNS.</P><P></P><P>We have a 5508 WLC in our Internet DMZ and it acts as the Anchor WLC. This WLC is also used as the DHCP server for the Guest Wireless clients.</P><P></P><P>We are debating whether to point the clients internally to our primary DNS servers, or externally to the public service provider DNS servers. The only DNS servers in the DMZ are external forwarders.</P><P></P><P>From a network standpoint, I think either solution would work. But from a security standpoint, which is better? Or is there another option?</P><P></P><P>Can anyone recommend a standard or best practice design when it comes to DNS for Guest Wireless?</P><P></P><P>Thanks in advance!</P> Sun, 04 Jul 2021 04:26:57 GMT https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862917#M28966 Jason Wing 2021-07-04T04:26:57Z https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862918#M28967 <HTML><HEAD></HEAD><BODY><P>Use an external dns if possible. The only time I would use an internal is if I install a 3rd party certificate on the guest anchor to get rid of the certificate error page during a webauth and the client doesn't have an external dns or the isp will not add an A record to resolve the certificate CN name.</P><P></P><P>Thanks,</P><P></P><P>Scott Fella</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Wed, 25 Jan 2012 03:03:07 GMT https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862918#M28967 Scott Fella 2012-01-25T03:03:07Z https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862919#M28968 <HTML><HEAD></HEAD><BODY><P>If you are not playing around with third party certificates for webauth. Just point to external Internet servers. The only reason to use yours is if they would need access to internal resources, like a printer. </P><P></P><P>Steve</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Wed, 25 Jan 2012 03:06:53 GMT https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862919#M28968 Stephen Rodriguez 2012-01-25T03:06:53Z https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862920#M28969 <HTML><HEAD></HEAD><BODY><P> Thanks for the info - exactly what I needed. The guest access is not needed internally and I am not doing cerficicates. Therefore - external it is. </P></BODY></HTML> Wed, 25 Jan 2012 17:14:01 GMT https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/1862920#M28969 Jason Wing 2012-01-25T17:14:01Z https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/4140132#M28970 <P>Hi Cisco community group,</P><P>&nbsp;</P><P>We are having a similar issue.</P><P>Our setup is as follows:&nbsp;</P><P>We have visitor SSID on WLC which is not in DMZ. We are doing AAA for visitor SSID on WLC using the external webauth using Cisso ISE visitor portal and the redirect URL.</P><P>But, in the entire flow of getting the visitor credentials authenticated from ISE visitor pprtal through WLC, there is the virtual interface of 192.0.2.1 on WLC which is required with a DNS record.</P><P>&nbsp;</P><P>Now if I use External - public or ISP DNS, it cannot resolve that virtual interface DNS record and thus the authentication process seems to break and the wireless user doesn't reach the Run status, it is stuck in Webauth Required status.</P><P>Now, We are not pointing the visitor wireless users to the Internal DNS, as we only want the publicly facing servers to be visible to the&nbsp; visitors and not the private records.</P><P>&nbsp;</P><P>How can we get around this problem.</P><P>Whats is the best way to implement guest or Visitor wireless in a campus environment.</P><P>&nbsp;</P><P>Thank you.</P> Mon, 24 Aug 2020 04:04:06 GMT https://community.cisco.com/t5/wireless/guest-wireless-and-dns/m-p/4140132#M28970 parag_waghmare 2020-08-24T04:04:06Z