08-11-2016 02:24 PM
Hi team,
From a Security perspective if a customer decides to have a Guest anchor WLC without a dedicated PSN node in the DMZ running the Guest portals, I understand the main benefit compared to not having any Guest anchor WLC is that you enforce all guest traffic to be terminated inside the DMZ and can centrally define all security rules in the DMZ firewall. However, in case of not having a Guest anchor WLC you could still map all guest traffic to certain restricted VLANs which would prevent guest users from accessing other corporate resources.
Is there any additional security benefit for having a Guest anchor WLC if there's no dedicated PSN node in the DMZ for an ISE deployment?
Thanks!
Solved! Go to Solution.
08-17-2016 11:34 AM
Yes, it is certainly possible to assign one of the PSN Interface to DMZ, but it is recommended to place PSN behind a FW and let users in the DMZ Guest VLAN to get TCP/8443 to the PSN. This way, it is easier to deal with redundant ISE design and also much simpler.
To answer the question from the OP. The WLC Anchor Controller provides segmentation by anchoring guest traffic to the anchor controller. Not related to ISE, but there is inherent benefit of not having guest traffic traverse the internal network. Only internal access the guest user needs is guest portal for CWA and possibly DNS.
Hosuk
08-11-2016 02:33 PM
You don’t need a dedicated PSN in the DMZ for guest Josep. You can allow the traffic required through your firewall or you can use a second interface on an existing PSN and bind that to the guest portal.
HTH,
George
08-11-2016 02:38 PM
Hi George,
I agree it's not required to have a dedicated PSN in the DMZ. My question was more about identifying additional security benefits of deploying a guest anchor WLC versus not having it for an ISE deployment.
Thanks,
Oriol
08-11-2016 03:17 PM
I imagine one of the PSN interface can be assigned to the DMZ switch/VLAN for guest portal, correct?
08-17-2016 11:34 AM
Yes, it is certainly possible to assign one of the PSN Interface to DMZ, but it is recommended to place PSN behind a FW and let users in the DMZ Guest VLAN to get TCP/8443 to the PSN. This way, it is easier to deal with redundant ISE design and also much simpler.
To answer the question from the OP. The WLC Anchor Controller provides segmentation by anchoring guest traffic to the anchor controller. Not related to ISE, but there is inherent benefit of not having guest traffic traverse the internal network. Only internal access the guest user needs is guest portal for CWA and possibly DNS.
Hosuk
08-11-2016 02:46 PM
Well, using guest anchor in dmz, there is Firewalling between dmz and internal. Plus, you don't have to map the guest VLAN on each of your foreign wireless LAN controller.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide