Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2788
Views
4
Helpful
2
Replies

Guest access options - wireless and wired

brian.k.clarke
Level 5
Level 5

‎11-10-2010 09:19 AM - edited ‎03-09-2019 11:15 PM

I’m looking to get some clarification/design guidance around the different methods by which guest access (wired and wireless) can be provisioned in a Cisco infrastructure.  There are several methods that can provide this, that I’m aware of:

1)     -  via a wireless anchor controller in the DMZ, which can actually provide Internet-only access to both wired and wireless clients.

2)      - via the Secure Access Control Server/System (ACS), whereby you can define “guest” access to be limited to whatever you want

3)      - via the NAC Guest Access Server (which is the solution I’m least familiar with)

I’m currently researching an ACS project, where they are looking to provide centralized AAA, but ALSO restricted access to wired and wireless clients based on AD authentication.  ACS appears capable of all of this, so I’m trying to determine how/if the other solutions would fit in, and what additional benefit they would provide if supplementing the ACS solution?   (I’ve also seen Cisco security docs where they indicate the NAC Guest Access Server as a solution that can deployed alongside ACS, so again, I’m trying to determine the boundaries and limitations of each guest access solution.)

So, benefits/weaknesses/recommendations and integration benefits of each of the guest solutions above – links to docs/presos are appreciated, of course.  I don’t mind doing the reading… 

Thank you.

Labels:
0 Helpful
2 Replies 2

Lauren Sullivan
Level 1
Level 1

‎11-10-2010 02:19 PM

I'll just talk to the NAC guest server side.  In essence, it can be used as a RADIUS server for WLCs and other devices (here's a config of how to do it with WLC, for example: http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml).  The "extra" part of it is that it gives you a web portal for authenticated sponsors to create these guest accounts (with time limits and as much information about the guest user as you wish) and, via syslogging, track what those guest users are accessing.  You can also allow guests to self-register themselves, via a hotspot.  You would still need some kind of network enforcment device (WLC) to direct those users to a captive portal (which could be on the device or on the guest server).  Here's the introduction to the NGS, which pretty much says the same thing as me, except much more nicely : http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_intro.html#wp1060656

brian.k.clarke
Level 5
Level 5
In response to Lauren Sullivan

‎11-15-2010 05:51 PM

Thank you for the response, Lauren - appreciated, and makes sense.

I'm keeping the thread open, in the hopes I can get some additional feedback/comparison between options 1) and 2) - compare and contrast.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents