Showing results for 
Search instead for 
Did you mean: 

Guest access options - wireless and wired


I’m looking to get some clarification/design guidance around the different methods by which guest access (wired and wireless) can be provisioned in a Cisco infrastructure.  There are several methods that can provide this, that I’m aware of:

1)     -  via a wireless anchor controller in the DMZ, which can actually provide Internet-only access to both wired and wireless clients.

2)      - via the Secure Access Control Server/System (ACS), whereby you can define “guest” access to be limited to whatever you want

3)      - via the NAC Guest Access Server (which is the solution I’m least familiar with)

I’m currently researching an ACS project, where they are looking to provide centralized AAA, but ALSO restricted access to wired and wireless clients based on AD authentication.  ACS appears capable of all of this, so I’m trying to determine how/if the other solutions would fit in, and what additional benefit they would provide if supplementing the ACS solution?   (I’ve also seen Cisco security docs where they indicate the NAC Guest Access Server as a solution that can deployed alongside ACS, so again, I’m trying to determine the boundaries and limitations of each guest access solution.)

So, benefits/weaknesses/recommendations and integration benefits of each of the guest solutions above – links to docs/presos are appreciated, of course.  I don’t mind doing the reading… 

Thank you.

2 Replies 2

Lauren Sullivan

I'll just talk to the NAC guest server side.  In essence, it can be used as a RADIUS server for WLCs and other devices (here's a config of how to do it with WLC, for example:  The "extra" part of it is that it gives you a web portal for authenticated sponsors to create these guest accounts (with time limits and as much information about the guest user as you wish) and, via syslogging, track what those guest users are accessing.  You can also allow guests to self-register themselves, via a hotspot.  You would still need some kind of network enforcment device (WLC) to direct those users to a captive portal (which could be on the device or on the guest server).  Here's the introduction to the NGS, which pretty much says the same thing as me, except much more nicely :

Thank you for the response, Lauren - appreciated, and makes sense.

I'm keeping the thread open, in the hopes I can get some additional feedback/comparison between options 1) and 2) - compare and contrast.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers