cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2122
Views
7
Helpful
5
Replies
Highlighted
Cisco Employee

ISE Guest Anchor WLC

Hi team,

From a Security perspective if a customer decides to have a Guest anchor WLC without a dedicated PSN node in the DMZ running the Guest portals, I understand the main benefit compared to not having any Guest anchor WLC is that you enforce all guest traffic to be terminated inside the DMZ and can centrally define all security rules in the DMZ firewall. However, in case of not having a Guest anchor WLC you could still map all guest traffic to certain restricted VLANs which would prevent guest users from accessing other corporate resources.

Is there any additional security benefit for having a Guest anchor WLC if there's no dedicated PSN node in the DMZ for an ISE deployment?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Yes, it is certainly possible to assign one of the PSN Interface to DMZ, but it is recommended to place PSN behind a FW and let users in the DMZ Guest VLAN to get TCP/8443 to the PSN. This way, it is easier to deal with redundant ISE design and also much simpler.

To answer the question from the OP. The WLC Anchor Controller provides segmentation by anchoring guest traffic to the anchor controller. Not related to ISE, but there is inherent benefit of not having guest traffic traverse the internal network. Only internal access the guest user needs is guest portal for CWA and possibly DNS.

Hosuk

View solution in original post

5 REPLIES 5
Highlighted
Contributor

You don’t need a dedicated PSN in the DMZ for guest Josep. You can allow the traffic required through your firewall or you can use a second interface on an existing PSN and bind that to the guest portal.

HTH,

George

Highlighted

Hi George,

I agree it's not required to have a dedicated PSN in the DMZ. My question was more about identifying additional security benefits of deploying a guest anchor WLC versus not having it for an ISE deployment.

Thanks,

Oriol

Highlighted

I imagine one of the PSN interface can be assigned to the DMZ switch/VLAN for guest portal, correct?

Highlighted

Yes, it is certainly possible to assign one of the PSN Interface to DMZ, but it is recommended to place PSN behind a FW and let users in the DMZ Guest VLAN to get TCP/8443 to the PSN. This way, it is easier to deal with redundant ISE design and also much simpler.

To answer the question from the OP. The WLC Anchor Controller provides segmentation by anchoring guest traffic to the anchor controller. Not related to ISE, but there is inherent benefit of not having guest traffic traverse the internal network. Only internal access the guest user needs is guest portal for CWA and possibly DNS.

Hosuk

View solution in original post

Highlighted
Collaborator

Well, using guest anchor in dmz, there is Firewalling between dmz and internal. Plus, you don't have to map the guest VLAN on each of your foreign wireless LAN controller.

Content for Community-Ad