In this document Cisco TAC engineer "Varun Ajmani" has explained how to configure Wireless Guest Access with Anchor setup on release 7.0.
The controller provides guest user access on WLANs for which we can use the foreign anchor controller setup. The Anchor controller can be put in Demilitarized Zone(DMZ) to segregate the traffic.
Cisco recommends the use of a controller dedicated to guest traffic. This controller is known as the guest anchor controller.
The guest anchor controller is usually located in an unsecured network area, often called the demilitarized zone (DMZ). Other internal WLAN controllers from where the traffic originates are located in the enterprise LAN. An EoIP tunnel is established between the internal WLAN controllers and the guest anchor controller in order to ensure path isolation of guest traffic from enterprise data traffic. Path isolation is a critical security management feature for guest access. It ensures that security and quality of service (QoS) policies can be separate, and are differentiated between guest traffic and corporate or internal traffic.
An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific guest anchor controller within the network. All traffic—both to and from a mapped WLAN—traverses a static EoIP tunnel that is established between a remote controller and the guest anchor controller.
Using this technique, all associated guest traffic can be transported transparently across the enterprise network to a guest anchor controller that resides in the unsecured network area.
Follow the steps below to achieve this:
1. Create a WLAN on Foreign controller
2. Enable the WLAN and set the Layer 2 security to None.
3. Set the layer 3 security to Web Policy where we get multiple options of choosing the type of authentication we want. In this document, we will focus on Web Authentication.
We can set the QOS to Bronze as it is the guest WLAN, however it depends on the requirement. Leave all the options to default.
4. Setup the same WLAN on Anchor controller. Make sure the config matches exactly with the foreign controller.
5. Now we need to setup the Mobility between the two controllers.
Go to Foreign Controller -> Mobility Management -> Mobility groups
Add the Anchor controller’s IP address, Burned in MAC Address (which can checked under Controller->Inventory) and the Mobility Domain Name
Repeat the same procedure for adding Foreign Controller on the Anchor controller. The mobility should come up within a minute.
6. We need to setup the auto anchoring for the SSID we created. Go to WLANs -> guestanchor WLAN and hover over the right blue arrow, click on Mobility Anchors.
The Anchor controller’s IP should show under the drop down of Switch IP Address (Anchor). Select that and hit Mobility Anchor Create.
Whereas, on the Anchor controller, go to the same option under SSID and add local for auto anchoring.
7. In case we want to use the Anchor controller as the DHCP server, we can create a DHCP scope under Controller -> Internal DHCP Server -> DHCP Scope.
Make sure about the following options once we do that:
DHCP server under the management interface/or the interface selected for guest anchor WLAN, should be set as the Anchor controller’s IP address
DHCP proxy is enabled under Controller -> Advanced
8. Create a user under Security -> Local Net users
9. We can use the Internal/External/Customized web auth page.
10. Now we’re done with the config and are ready to test the client.
I’ve got one of these and I would like to access it via a gui, what’s the simplest way to do, at the moment all I can see is the vlan IP address and all the other ports are unassigned when I do a sh ip int brief. What’s the easiest way to ...
Having a hard time finding the correct documentation/answer to add another VLAN to an Aironet Wireless bridge. I just inherited this setup & still coming up to speed. Have 3 existing Cisco AIRBR 1410 & I need to add another VLAN to...
all, Cisco 9800 controller supports wave 2 APs such as 2800 and wifi 6 such as 9100. This is just the ap models supported but my guess is they can still run in 802.11b or a to support old handheld devices right despite aps being wave 2 or ...
Hi all, if you buy 9117 APs which are wifi 6 , would it support 802.11b and a / very old standards on its own ? if yes, would every one need to switch to old standard if one device is say 802.11b Remember back in the days, if you had ...