In this document Cisco TAC engineer "Varun Ajmani" has explained how to configure Wireless Guest Access with Anchor setup on release 7.0.
The controller provides guest user access on WLANs for which we can use the foreign anchor controller setup. The Anchor controller can be put in Demilitarized Zone(DMZ) to segregate the traffic.
Cisco recommends the use of a controller dedicated to guest traffic. This controller is known as the guest anchor controller.
The guest anchor controller is usually located in an unsecured network area, often called the demilitarized zone (DMZ). Other internal WLAN controllers from where the traffic originates are located in the enterprise LAN. An EoIP tunnel is established between the internal WLAN controllers and the guest anchor controller in order to ensure path isolation of guest traffic from enterprise data traffic. Path isolation is a critical security management feature for guest access. It ensures that security and quality of service (QoS) policies can be separate, and are differentiated between guest traffic and corporate or internal traffic.
An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific guest anchor controller within the network. All traffic—both to and from a mapped WLAN—traverses a static EoIP tunnel that is established between a remote controller and the guest anchor controller.
Using this technique, all associated guest traffic can be transported transparently across the enterprise network to a guest anchor controller that resides in the unsecured network area.
Follow the steps below to achieve this:
1. Create a WLAN on Foreign controller
2. Enable the WLAN and set the Layer 2 security to None.
3. Set the layer 3 security to Web Policy where we get multiple options of choosing the type of authentication we want. In this document, we will focus on Web Authentication.
We can set the QOS to Bronze as it is the guest WLAN, however it depends on the requirement. Leave all the options to default.
4. Setup the same WLAN on Anchor controller. Make sure the config matches exactly with the foreign controller.
5. Now we need to setup the Mobility between the two controllers.
Go to Foreign Controller -> Mobility Management -> Mobility groups
Add the Anchor controller’s IP address, Burned in MAC Address (which can checked under Controller->Inventory) and the Mobility Domain Name
Repeat the same procedure for adding Foreign Controller on the Anchor controller. The mobility should come up within a minute.
6. We need to setup the auto anchoring for the SSID we created. Go to WLANs -> guestanchor WLAN and hover over the right blue arrow, click on Mobility Anchors.
The Anchor controller’s IP should show under the drop down of Switch IP Address (Anchor). Select that and hit Mobility Anchor Create.
Whereas, on the Anchor controller, go to the same option under SSID and add local for auto anchoring.
7. In case we want to use the Anchor controller as the DHCP server, we can create a DHCP scope under Controller -> Internal DHCP Server -> DHCP Scope.
Make sure about the following options once we do that:
DHCP server under the management interface/or the interface selected for guest anchor WLAN, should be set as the Anchor controller’s IP address
DHCP proxy is enabled under Controller -> Advanced
8. Create a user under Security -> Local Net users
9. We can use the Internal/External/Customized web auth page.
10. Now we’re done with the config and are ready to test the client.
I was wondering if there is a method to keep capwap APs from joining any mobility express controller or locking them down to a subnet? I'm standing up another mobility express network on a separate subnet for another building and I noticed other APs...
Hey gents, Hope you can help me out here. I need to renew the cert in our wireless LAN control for guest access. Our guest wireless does loging authentication through redirection... users just need to enter the ssid and connect and fire up their brow...
Hi All I have just started a role where I am working with WLC 5520 in a main coperate location. Cisco 2802i AP's have already been purchased, installed and have been converted to capwap at a different location. My question is, can we use on...
Hello Experts, The configuration for malicious rogues that are discovered on wire is clearly explained with regards to setting the containment level. However when it comes to containment of Malicious rogues that are not discovered on wired, I do...