I have a huge issue getting my wireless guest network working. I have seen a lot of suggestions using an extra wlc as an anchor, but at the moment that's not possible.
My equipment is as follows:
- Cisco ASA 5505
- Cisco WS-3850 PoE
- Cisco WS-2960-X PoE
- Cisco WLC 5500
At the moment we don't use any VLAN's except the management vlan 1 on our Cisco Switches. This will be changed, but just not yet.
The connection right now looks like this (if it makes sense):
Fiber / Internet ------> Cisco ASA 5505 -----> WS-3850 PoE (our gateway) -------> Cisco 2690-X PoE
-------------------> Connected to AP
-------------------> Connected to Clients
-------------------> Connected to WLC
Right now we have an SSID named "Internal" that is for employee's only, which works fine - it authenticates with our Radius server and gets a DHCP from our DHCP server.
I wan't another SSID using the built in Guest network feature on the WLC, but isolate the network on a vlan (vlan 50 as an example) and route the traffic directly from a guests machine and through the switches and then out of the ASA to the internet - without being able to access any of the internal resources.
Is this possible and how the heck do I set it up. I've tried various of things, but it just wont work out for me. Could someone be so kind to take me through it step by step, by writing the configuration on each device (ASA, 3850, 2960-X and the WLC controller). I think I would place the DHCP server for the Guest lan on the ASA - unless you have better ideas.
I could create the guest SSID network, but leave it tunnelled (then you don't need to create any vlans). I would terminate this on a new interface on your WLC, and then connect that directly to your 5505 ASA on a new interface called something like "Guest" with whatever access rules you like.
One important thing I forgot to mention - I have several sites around the world. So if I did what you explained Philip, it would mean that it won't work except where a WLC is installed right?
That was why I was thinking of VLAN's which could be setup on other sites :)
Or am I wrong here?
So right now our main Datacenter (if you can call it that) is at Location A. We do also have a Location, B, C, D, E and F.
But the only WLC we have is based at Location A. The rest of the sites are just Offices, with their own Cisco ASA, switches and of course a Domain Controller. So no WLC there.
On our WLC we have of course setup FlexConnect Groups for the different sites we have.
- And yes, they are all managed by the WLC at Location A.