topic Re: ISE Guest with WLC in dmz in Wireless

ISE Guest with WLC in dmz

zohaibjaved181 — Mon, 05 Jul 2021 16:45:06 GMT

Dear Experts,

We need design recommendation for WLC and ISE for guest access. we have 2 WLCs (SSO) and one ISE node. we want to connect the second interface of WLCs in the DMZ and ISE will be placed in the internal network.

Is this a doable design? what is the recommendation from a security perspective?

Does WLC support traffic over multiple interfaces.

WLC model is 5520

Appreciate your quick response.

Re: ISE Guest with WLC in dmz

balaji.bandi — Sat, 26 Jan 2019 11:06:46 GMT

Do you have any high level topology, Can this 5520 WLC dedicated to Guest Anchor ?

Re: ISE Guest with WLC in dmz

zohaibjaved181 — Sat, 26 Jan 2019 13:03:40 GMT

I am not that good with the drawings but here is attached.

No, it cannot be used as Anchor controller.

Re: ISE Guest with WLC in dmz

zohaibjaved181 — Sat, 26 Jan 2019 13:04:04 GMT

I am not that good with the drawings but here is attached.

No, it cannot be used as Anchor controller.

Re: ISE Guest with WLC in dmz

Scott Fella — Sat, 26 Jan 2019 14:03:29 GMT

With SSO, LAG is required so you cannot use a dedicated port. That type of design would be better with N+1 where you set the port priority and assign what port an interface belongs to. With SSO, you can place the guest into a non routable vlan internally and then have another port on the switch pass that traffic to the DMZ.

Re: ISE Guest with WLC in dmz

Arne Bier — Tue, 29 Jan 2019 10:44:15 GMT

You can create a totally new VLAN just for guests and ensure that this is the Interface Group/VLAN that unauthenticated users get placed into when they associate with your open SSID (Guest). The WLC will send Radius requests to ISE via the managament VLAN and this will arrive at Gig0 on the ISE node (ISE listens to Radius/TACACS on all active interfaces). And then the security advice I can give you is that you host your guest portal on a different ISE interface - e.g. Gig1. This is easily done from the ISE GUI when you create the portal. This means that ISE won't listen on tcp/443&8443 on Gig0 - hence, guests won't be able to attack your ISE node kill your managment interface. Of course if you're not careful, they can still DOS ISE on Gig1. But you should be very restrictive in your Cisco WLC ACL's for portal user roles, and authenticated user roles. Portal users should only be allowed to perform DNS queries and talk tcp/8443 to ISE. Be as explicity as you can and even nail down the exact DNS servers in your ACLs!

For authenticated users you allow DNS, ISE and then block RFC1918 addresses, and finally, allow all the rest. That should ensure that Guests only get to internet. If you have a web proxy in your design, then the rule is a bit different - you don't allow all, but you simply allow all traffic to the proxy only, and then block the rest.