01-24-2021 10:13 AM
Solved! Go to Solution.
01-25-2021 03:10 PM
The use of an anchor controller in a DMZ is the best practice recommendation.
See Enterprise Mobility 8.5 Design Guide > Cisco Unified Wireless Network Guest Access Services > Guest Access using the Cisco Unified Wireless Network Solution for the full details.
01-24-2021 10:28 AM - edited 01-24-2021 10:29 AM
Hi @Alan Inman
I wouldn't allow any guest access communication to the internal network, carry on using DHCP from the ASA. If using Umbrella, NAT this guest traffic behind a unique public IP address. You can then identify guest traffic by this source IP address and apply a different Umbrella policy to corporate traffic.
If/when you get ISE you could implement the guest portal to capture user/device information.
HTH
01-24-2021 12:28 PM
1. Do not allow guest users to communicate with the inside network. Accomplish this with a simple ACL denying source of the guest network destined to any RFC-1918 address and permit all other IPs (Internet). Add permit rules for DNS as needed.
2. Do not allow Layer 2 communication between wireless users on the guest network. Depending on if you're using Cisco Meraki, Cisco Lightweight APs controlled by a WLC, or Autonmous APs will change how this is deployed. This will ensure that a user on the guest network cannot try to scan the other guests or commit malicious acts.
3. If using Umbrella, ensure that you are blocking all other outbound DNS to ensure that your Umbrella policy is applied. Many web browsers will be using DNS over HTTPS now so you'll need to block access to external DNS servers (i.e. 1.1.1.1, 8.8.8.8, etc).
4. If you want to see the internal IP address of your users in the Umbrella dashboard, consider putting a Virtual Appliance (VA) on the guest network and make it the DNS server in your DHCP assignment so all users on the guest use Umbrella.
5. When you get ISE installed, you can require that users login via a splash page so you can then tie a user to the device instead of just seeing IP addresses. This will help to figure out who you need to talk to when you see an alarm about malware or any policy violations in Umbrella.
01-24-2021 12:56 PM
DNS and DHCP should be always suggest to out of a network of enterprise LAN.
01-25-2021 03:10 PM
The use of an anchor controller in a DMZ is the best practice recommendation.
See Enterprise Mobility 8.5 Design Guide > Cisco Unified Wireless Network Guest Access Services > Guest Access using the Cisco Unified Wireless Network Solution for the full details.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide