cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1260
Views
5
Helpful
6
Replies

ISE -WLC Guest Implementation

rajcisco
Level 1
Level 1

Hello All,

 

I am trying to implement guest network using ISE 2.2 & WLC (aireos), with flexconnect (central auth and local switch). I am using separate interface in ISE-PSN for guest, but using the same management interface in WLC where other enterprise traffic is terminated due to present architecture (all branch offices uses local switch, there is no central switching). I see ISE can provide initial ACL (redirect guest to psn for Authentication) and second ACL once authenticated (to access only Internet)

 

But Is there anything else to consider in security perspective, as i am using the WLC management interface of the controller for the Guest?

 

Note: Routing guest to internet using vrf/vlan over firewall to local internet link

 

Thanks for your time.

1 Accepted Solution

Accepted Solutions

None that I can think of. This is a common setup. There is no avenue for guests to actually use that channel to do anything. I have never separate authentication traffic from the WLC to ISE. Actually user traffic, yes, but not authentication traffic.


View solution in original post

6 Replies 6

paul
Level 10
Level 10

This is a common setup, i.e. FlexConnect guests to a local VRF at the remote site and send them out to the Internet.  The only issue you have to tackle is getting the guests back to the PSNs for the guest portal.  I usually bring them in over the Internet.  Use a second interface on the PSNs and put it in a DMZ and open up 8443 access from the Internet or put up dedicate guest PSNs in the DMZ.  I like dedicated guests PSNs then I don't have a dual legged box sitting in the DMZ.

Thank you Paul for the reply

Actually my design flow is like something like below,

 

Guest-->SSID (AP)-->WLC-->PSN (first ACL)--->WLC--->Guest (Redirect Page) --> Passcode entered-->WLC --->PSN--->Authenticated (Second ACL)--WLC-->Guest-->local firewall--> Internet

First ACL - to provide only access to PSN

Second ACL- to provide only access to Internet

I am using PSN with two leg, but not in DMZ, second leg in separate guest vrf. WLC mgmt will communicate to PSN i/f(in guest vrf)over firewall just for control traffic

So are you running the SSID in FlexConnect or not? If so then the WLC is not involved in anything except passing the RADIUS authentication. The traffic flow you need to make work is :



Guest->AP->PSN.


Yes I am running Flexconnect in SSID, using WLC is only to redirect RADIUS traffic to PSN and apply ACL to Flex Connect group based on ISE policy.

 

 

Sorry i didnt mention it, setup is working fine, back to my question, is there any security measures should be considered using same mgmt i/f in WLC for Enterprise and Guest RADIUS traffic

 

 

None that I can think of. This is a common setup. There is no avenue for guests to actually use that channel to do anything. I have never separate authentication traffic from the WLC to ISE. Actually user traffic, yes, but not authentication traffic.


Thank you Paul for your time and information