Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
5
Helpful
3
Replies

Help with wireless design, 802.1x security, BYOD, RADIUS, ACS

Go to solution
Phil Williamson
Level 1
Level 1

‎03-26-2014 02:49 PM - edited ‎07-05-2021 12:33 AM

Need some advice on how to tackle some wireless issues, concerns and questions.

- The network looks like this:
Data Center with only one AIR-CTC5508-K9 (v7.4.115.0) supporting 125 LAPs; there are plans for a redundant pair.
50 offices connect to the DC via Metro Ethernet/MPLS; each with 20Mbit connection
Each office is a separate OSPF area and routed VLAN Only three wireless VLANs at this time
Only data on wireless - no voice or video and no plans for them in the forseeable future
Each remote also has a broadband Intenet connection for failover to DC on VPN
Currently all Internet access is through the DC
Is it possible to use the local office ISP connection for GUEST Internet in this scenario?
Since all wireless is capwap encapsulated I'm thinking I cannot, but I'm up for suggetions.
802.1x user security is the top priority to implement at this time.
How much functionality does one get (or lose) with a Microsoft based RADIUS server, versus something like Cisco ACS for 802.1x
User devices run the gamut of Microsoft, Apple, Android etc - a true BYOD scenario.

Suggestions for reading material?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP

‎03-26-2014 06:17 PM

If you use FlexConnect mode (oppose to local mode) AP in these branches, then all branch traffic will terminate on branch switches. So in this way you can allow guest SSID user traffic to use DSL available at branch. So WLAN to be configured as FlexConnect Local Switching.

If you want certain WLAN to be centrally switch (where traffic is tunnel back to HQ) you can do that as well.

ISE is the recommended product from Cisco as radius server.

Here is a good branch wireless design presentation from Ciscolive

HTH

Rasika

**** Pls rate all useful responses ****

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rasika Nayanajith
VIP
VIP

‎03-26-2014 06:17 PM

If you use FlexConnect mode (oppose to local mode) AP in these branches, then all branch traffic will terminate on branch switches. So in this way you can allow guest SSID user traffic to use DSL available at branch. So WLAN to be configured as FlexConnect Local Switching.

If you want certain WLAN to be centrally switch (where traffic is tunnel back to HQ) you can do that as well.

ISE is the recommended product from Cisco as radius server.

Here is a good branch wireless design presentation from Ciscolive

HTH

Rasika

**** Pls rate all useful responses ****

0 Helpful

Go to solution
Phil Williamson
Level 1
Level 1
In response to Rasika Nayanajith

‎03-28-2014 09:23 AM

Manannalage,

Thanks for the very informative and helpful reply.  The Ciscolive presentation is just what I'm looking for.  It's amazing what a combination of well executed pictures and supporting text can do to illuminate an otherwise complicated situation.

Can you help me understand the differences between Cisco Secure ACS and ISE?  My customer currently is using Solarwinds with Orion for network monitoring - NetFlow etc.  Neither ACS or ISE is inexpensive so can ISE take the place of ACS?

Thanks,

Phil

0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to Phil Williamson

‎03-28-2014 01:43 PM

Hi Phil,

ISE can do much more functions(AAA, Guest Service, Device profiling, monitoring & reporting) compare to ACS (only AAA). Going forward ISE going to be the dominant product & ACS may discontinue in future.

Here is another Ciscolive presenstaion you can go through

BRKSEC-2044 Building an Enterprise Access Control Architecture with ISE

You can watch the video session of the above from here. 

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=77948&backBtn=true

By the way these Ciscolive material is freely accessible, if you register  with Ciscolive.com you can access any Ciscolive event materials. Here is the registration link.

https://www.ciscolive.com/online/connect/createAccount.ww

 

HTH

Rasika

*** Pls rate all useful resposnes ***

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card