Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
5
Helpful
6
Replies

ISE -WLC Guest Implementation

Go to solution
rajcisco
Level 1
Level 1

‎10-23-2018 06:16 AM

Hello All,

 

I am trying to implement guest network using ISE 2.2 & WLC (aireos), with flexconnect (central auth and local switch). I am using separate interface in ISE-PSN for guest, but using the same management interface in WLC where other enterprise traffic is terminated due to present architecture (all branch offices uses local switch, there is no central switching). I see ISE can provide initial ACL (redirect guest to psn for Authentication) and second ACL once authenticated (to access only Internet)

 

But Is there anything else to consider in security perspective, as i am using the WLC management interface of the controller for the Guest?

 

Note: Routing guest to internet using vrf/vlan over firewall to local internet link

 

Thanks for your time.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to rajcisco

‎10-23-2018 01:00 PM

None that I can think of. This is a common setup. There is no avenue for guests to actually use that channel to do anything. I have never separate authentication traffic from the WLC to ISE. Actually user traffic, yes, but not authentication traffic.


View solution in original post

6 Replies 6

Go to solution
paul
Level 10
Level 10

‎10-23-2018 06:53 AM

This is a common setup, i.e. FlexConnect guests to a local VRF at the remote site and send them out to the Internet.  The only issue you have to tackle is getting the guests back to the PSNs for the guest portal.  I usually bring them in over the Internet.  Use a second interface on the PSNs and put it in a DMZ and open up 8443 access from the Internet or put up dedicate guest PSNs in the DMZ.  I like dedicated guests PSNs then I don't have a dual legged box sitting in the DMZ.

0 Helpful

Go to solution
rajcisco
Level 1
Level 1
In response to paul

‎10-23-2018 09:06 AM

Thank you Paul for the reply

Actually my design flow is like something like below,

 

Guest-->SSID (AP)-->WLC-->PSN (first ACL)--->WLC--->Guest (Redirect Page) --> Passcode entered-->WLC --->PSN--->Authenticated (Second ACL)--WLC-->Guest-->local firewall--> Internet

First ACL - to provide only access to PSN

Second ACL- to provide only access to Internet

I am using PSN with two leg, but not in DMZ, second leg in separate guest vrf. WLC mgmt will communicate to PSN i/f(in guest vrf)over firewall just for control traffic

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to rajcisco

‎10-23-2018 09:26 AM

So are you running the SSID in FlexConnect or not? If so then the WLC is not involved in anything except passing the RADIUS authentication. The traffic flow you need to make work is :



Guest->AP->PSN.


0 Helpful

Go to solution
rajcisco
Level 1
Level 1
In response to paul

‎10-23-2018 12:56 PM

Yes I am running Flexconnect in SSID, using WLC is only to redirect RADIUS traffic to PSN and apply ACL to Flex Connect group based on ISE policy.

 

 

Sorry i didnt mention it, setup is working fine, back to my question, is there any security measures should be considered using same mgmt i/f in WLC for Enterprise and Guest RADIUS traffic

 

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to rajcisco

‎10-23-2018 01:00 PM

None that I can think of. This is a common setup. There is no avenue for guests to actually use that channel to do anything. I have never separate authentication traffic from the WLC to ISE. Actually user traffic, yes, but not authentication traffic.


Go to solution
rajcisco
Level 1
Level 1
In response to paul

‎10-23-2018 02:39 PM

Thank you Paul for your time and information

0 Helpful
Customers Also Viewed These Support Documents