cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2844
Views
7
Helpful
5
Replies

ISE Guest Anchor WLC

omadrile
Cisco Employee
Cisco Employee

Hi team,

From a Security perspective if a customer decides to have a Guest anchor WLC without a dedicated PSN node in the DMZ running the Guest portals, I understand the main benefit compared to not having any Guest anchor WLC is that you enforce all guest traffic to be terminated inside the DMZ and can centrally define all security rules in the DMZ firewall. However, in case of not having a Guest anchor WLC you could still map all guest traffic to certain restricted VLANs which would prevent guest users from accessing other corporate resources.

Is there any additional security benefit for having a Guest anchor WLC if there's no dedicated PSN node in the DMZ for an ISE deployment?

Thanks!

1 Accepted Solution

Accepted Solutions

Yes, it is certainly possible to assign one of the PSN Interface to DMZ, but it is recommended to place PSN behind a FW and let users in the DMZ Guest VLAN to get TCP/8443 to the PSN. This way, it is easier to deal with redundant ISE design and also much simpler.

To answer the question from the OP. The WLC Anchor Controller provides segmentation by anchoring guest traffic to the anchor controller. Not related to ISE, but there is inherent benefit of not having guest traffic traverse the internal network. Only internal access the guest user needs is guest portal for CWA and possibly DNS.

Hosuk

View solution in original post

5 Replies 5

gbekmezi-DD
Level 5
Level 5

You don’t need a dedicated PSN in the DMZ for guest Josep. You can allow the traffic required through your firewall or you can use a second interface on an existing PSN and bind that to the guest portal.

HTH,

George

Hi George,

I agree it's not required to have a dedicated PSN in the DMZ. My question was more about identifying additional security benefits of deploying a guest anchor WLC versus not having it for an ISE deployment.

Thanks,

Oriol

I imagine one of the PSN interface can be assigned to the DMZ switch/VLAN for guest portal, correct?

Yes, it is certainly possible to assign one of the PSN Interface to DMZ, but it is recommended to place PSN behind a FW and let users in the DMZ Guest VLAN to get TCP/8443 to the PSN. This way, it is easier to deal with redundant ISE design and also much simpler.

To answer the question from the OP. The WLC Anchor Controller provides segmentation by anchoring guest traffic to the anchor controller. Not related to ISE, but there is inherent benefit of not having guest traffic traverse the internal network. Only internal access the guest user needs is guest portal for CWA and possibly DNS.

Hosuk

Ping Zhou
Level 8
Level 8

Well, using guest anchor in dmz, there is Firewalling between dmz and internal. Plus, you don't have to map the guest VLAN on each of your foreign wireless LAN controller.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: