05-01-2018 03:09 AM - edited 02-21-2020 10:54 AM
Hi Folks,
This is more of a design and solution question rather than configuration.
Company A has its own WLC, ISE and Cisco APs that manages Company A's client for their printers on site. Now, the client decides to change to Company B who would authenticate their wireless printers moving forward. However, Company B wants to leverage Company A's existing wireless infrastructure. Company B has their own ISE in their network. Also, the client wants to install new WLC and AP and manage these devices.
Here is my idea and want to know what's your thoughts.
The proposed solution is Company A will provision layer 2 (new Vlan). The new SSID will be configured on new WLC. Company A will configure new VLAN on its Switches and hand-off to Company B's router. Company B's router will look after DHCP scope for wireless printer and routing.
Now, the tricky part. Not sure where Company A's ISE comes into the picture and how proxy RADIUS flow works. Let's understand the concept and again, please correct me if I am wrong.
Do I have a correct understanding?
Also, what if WLC points directly to Company B's ISE server? This may not be possible as WLC would not aware of Company B's IP?
I will post a diagram tomorrow and hope that my explanation is not confusing.
Thanks.
Dave
Solved! Go to Solution.
05-01-2018 05:53 AM
Yes, assuming you can get the IP addressing to work, Proxy RADIUS would work, but, in no particular order...
If the Client wants to install a new WLC and APs, why is the first company involved at all - surely the second company would just manage all of it? What is the relationship of these new devices to the Client and the two Suppliers?
Why are you using a new SSID? Why not keep the same SSID and just change the RADIUS Servers it uses, or do you have other things on there as well?
What is the relationship like between the two suppliers? How will you manage change controls, outages, SLAs, penality clauses, troubleshooting, security audits, etc etc...
Don't use WPA - only use WPA2.
Personally, I prefer to keep things as simple as possible. I'm sure there's politics and commercials at play here, but if you can get it down to an exclusively single-supplier solution and avoid proxy RADIUS, go for that.
05-01-2018 05:53 AM
Yes, assuming you can get the IP addressing to work, Proxy RADIUS would work, but, in no particular order...
If the Client wants to install a new WLC and APs, why is the first company involved at all - surely the second company would just manage all of it? What is the relationship of these new devices to the Client and the two Suppliers?
Why are you using a new SSID? Why not keep the same SSID and just change the RADIUS Servers it uses, or do you have other things on there as well?
What is the relationship like between the two suppliers? How will you manage change controls, outages, SLAs, penality clauses, troubleshooting, security audits, etc etc...
Don't use WPA - only use WPA2.
Personally, I prefer to keep things as simple as possible. I'm sure there's politics and commercials at play here, but if you can get it down to an exclusively single-supplier solution and avoid proxy RADIUS, go for that.
08-09-2018 05:45 PM
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide